SAML Certificate Rollover

Print Friendly and PDF Follow

If you receive notification that a SAML Identity Provider (IdP) is planning on changing their certificates in the future, the SAML module can be configured for seamless certificate rollover by simply adding the new certificate to the configuration without removing the old one.

The SAML module will try to use certificates in the order in which they appear in the configuration file, so the old certificates will be used until they are no longer valid. Once the new certificates are in use, the old ones should be removed from the configuration.

This is an example notification from OpenAthens notifying customers that a certificate update is pending.

To update your ILLiad SAML module, edit the following certificate section from the SAML.config file to include the new certificate:

<PartnerIdentityProvider
Name="https://saml.example.com/entityid"
ProviderName="SAMLtestIdP"
Description="SAMLTest IdP"
SignAuthnRequest="true"
SingleSignOnServiceUrl="https://mocksaml.com/api/saml/sso"
SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
SingleLogoutServiceUrl="https://mocksaml.com/api/saml/slo"
SingleLogoutServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
DisableDestinationCheck="true"
DisableRecipientCheck="true">
<LocalCertificates></LocalCertificates>
<PartnerCertificates>
<!-- Old certificates. These will continue to be used until they expire -->
<Certificate
StoreLocation="LocalMachine"
StoreName="TrustedPeople"
SerialNumber="1234567890"
Use="Signature" />
<Certificate
StoreLocation="LocalMachine"
StoreName="TrustedPeople"
SerialNumber="1234567890"
Use="Encryption" />
<!-- New certificates. Once the old ones are expired, these will be used -->
<Certificate
StoreLocation="LocalMachine"
StoreName="TrustedPeople"
SerialNumber="1234567890"
Use="Signature" />
<Certificate
StoreLocation="LocalMachine"
StoreName="TrustedPeople"
SerialNumber="1234567890"
Use="Encryption" />
</PartnerCertificates>
</PartnerIdentityProvider>

Questions?

If this article didn’t resolve your issue, please contact Atlas Support for assistance:

Contact Support