Layer7 Access Management

Expand all | Collapse all

Certificate rollover for token signing in SM12.52 - ADFS pain

Jump to Best Answer
  • 1.  Certificate rollover for token signing in SM12.52 - ADFS pain

    Posted 07-28-2017 12:03 PM

    Hi there,


    we've been setting up several new partnership federations lately, where we use CA SSO 12.52 SP1 CR04 as a Service Provider to serve multiple Identity Providers implemented with different technologies, but always sticking to SAML2.0.


    One of our IDPs is using Microsoft ADFS and we had a hard time explaining them that the federation stopped working when their token signing certificate was automatically replaced by some procedure that puts a new certificate online to be downloaded with metadata. Appearently they were assuming we could automatically download and install the new certificate without any notification.


    They say their ADFS will do the certificate rollover without intervention,assumed our Siteminder would do the same, and even if they are willing to alert us on new certificate release, the fact that is the ADFS itself that substitute them without intervention would prevent them to agree with us a coordinate action to reduce the outage. 


    I came across a feature that's from SM 12.6:


    • Signing key rollover support using secondary verification certificates—You can configure a secondary verification certificate alias at the IdP and SP to verify the signatures on messages. A remote entity can issue a new verification certificate any time. The reasons can include a key being compromise, certificate expiry, or a change in key size. Specifying a secondary verification certificate eliminates the need to coordinate system-wide updates of signing and verification certificates simultaneously. 

      An entity first tries to verify the message signature with the primary certificate. If the verification fails, the entity uses the secondary certificate for signature verification. The Secondary Verification Certificate Alias field is configurable in the remote IdP and SP configurations and in the Signature and Encryption step of any SAML 2.0 partnership. To aid in troubleshooting, log messages have been added to the Policy Server trace log, smtracedefault.log. Refer to the instructions for configuring an SP-to-IdP partnership to enable these new features.

    No secondary certificate option is available for encryption



    It seems the perfect feature to ease the problem, since this would allow us to load the new certificate in advance and whenever the IDP ADFS rolls the old one away, our Service Provider would be already fitted with the new one and there would be no outage at all.


    Unfortunately I found news about this feature on v. 12.6 but we are still on 12.52 SP01CR04.


    Does anyone know of similar possibilities on 12.52 SP1 CRxx? I could plan a quick in-place upgrade to a greater CR than the currently installed 04 but it's a bit more complicated do jump to a newer major release.


    Are there any possibilities to backport the feature to 12.52SP1 by any means? that would be a life-saver for us, since I see more and more ADFS partnership upcoming...


    Thank you all!



  • 2.  Re: Certificate rollover for token signing in SM12.52 - ADFS pain
    Best Answer

    Posted 07-31-2017 07:31 AM
    Hi Ffc,
    Indeed, the functionality you underlined available in 12.6 allows you
    to set a second cerficate and key pairs in order to validate signature
    and encryption of assertion in case the primary one would be
    As now, this functionality isn't available in 12.52SP1CR04.
    We invite you to request to port this functionality into 12.52SP1
    version by submitting an Idea to the Security page :
    You might get in touch with CA Services in case there would be any
    work around for this.
    I don't know any on top of my head.
    I hope that helps,
    Best Regards,