This article has been archived and is no longer maintained by ForgeRock.
OpenAM 13.0 supports multiple signing keys. In pre-13.0 versions of OpenAM, you can work round this by creating a second IdP or SP that is identical to the first IdP or SP apart from the signing key and entity ID.
This example process sets up two different signing keys on the IdP side, with the SP as the relying party (but you can do it the other way round if applicable):
- Create a second IdP that is identical to the existing IdP, apart from having a different signing key and entity ID. This new IdP should be created in the same realm as the existing one.
- Add this second IdP to the same circle of trust as the existing IdP.
- Make the SP aware of the changed metadata. If OpenAM is also your SP, you can export the metadata from the new IdP and import it to the SP using the commands detailed in How do I export and import SAML2 metadata in AM (All versions)?