Skip to main content

Signing Key Rollover

This article discusses what you need to know about the public keys that are used by EMD Digital identity platform to sign security tokens. It is important to note that these keys roll over on a periodic basis and, in an emergency, could be rolled over immediately. All applications that use EMD Digital identity platform should be able to programmatically handle the key rollover process. Continue reading to understand how the keys work, how to assess the impact of the rollover to your application and how to update your application or establish a periodic manual rollover process to handle key rollover if necessary.

Overview of signing keys in EMD Digital identity platform

EMD Digital identity platform uses public-key cryptography built on industry standards to establish trust between itself and the applications that use it. In practical terms, this works in the following way: EMD Digital identity platform uses a signing key that consists of a public and private key pair. When a user signs in to an application that uses EMD Digital identity platform for authentication, EMD Digital identity platform creates a security token that contains information about the user. This token is signed by EMD Digital identity platform using its private key before it is sent back to the application. To verify that the token is valid and originated from EMD Digital identity platform, the application must validate the token’s signature using the public keys exposed by EMD Digital identity platform that is contained in the tenant’s OpenID Connect discovery document.

For security purposes, EMD Digital identity platform’s signing key rolls on a periodic basis and, in the case of an emergency, could be rolled over immediately. There is no set or guaranteed time between these key rolls - any application that integrates with EMD Digital identity platform should be prepared to handle a key rollover event no matter how frequently it may occur. If it doesn’t, and your application attempts to use an expired key to verify the signature on a token, the sign-in request will fail. Checking every 24 hours for updates is a best practice, with throttled (once every five minutes at most) immediate refreshes of the key document if a token is encountered with an unknown key identifier.

There is always more than one valid key available in the OpenID Connect discovery document. Your application should be prepared to use any and all of the keys specified in the document, since one key may be rolled soon, another may be its replacement, and so forth. The number of keys present can change over time based on the internal architecture of the EMD Digital identity platform as we support new platforms, new clouds, or new authentication protocols. Neither the order of the keys in the JSON response nor the order in which they were exposed should be considered meaningful to your app.

Applications that support only a single signing key, or those that require manual updates to the signing keys, are inherently less secure and reliable. They should be updated to use standard libraries to ensure that they are always using up-to-date signing keys, among other best practices.