Layer 7 Access Management

Expand all | Collapse all

SAML Federation - Auto Update of SSL Certs?

Jump to Best Answer
  • 1.  SAML Federation - Auto Update of SSL Certs?

    Posted 01-06-2015 09:35 AM

    In our SAML Federation environment, we exchange SSL certificates with our clients/vendors on an annual basis.  Is there a product feature in CA SiteMinder or an add-on that can make the update process more seamless and require less coordination?  I think this feature is available with ADFS implementations...

     

    Any comments or suggestions are welcomed...



  • 2.  Re: SAML Federation - Auto Update of SSL Certs?

    Posted 04-30-2015 11:08 AM

    Hey john.j.yee! Are you still looking for a solution here? If so, can someone please answer John? THANKS!



  • 3.  Re: SAML Federation - Auto Update of SSL Certs?

    Posted 04-30-2015 12:25 PM

    John,

     

    As far as I am aware, there is no feature to perform this in a more efficient and less impacting manner.  I wish there was!

     

    I have performed the following procedure to replace a certificate live without having to deactivate partnerships.  However, I would like to stress that this is probably not a supported procedure from CA and should only be undertaken with great care and the ability to restore your policy store quickly.  If you're using a policy store that is not easy to restore I would probably suggest not doing the below. 

     

    I apologize, I wrote this procedure for me, so please forgive the roughness of it.

     

    1. Open xpsexplorer
    2. Go to option 3 and find the new certificate.
    3. Write down the alias, IssuerDN, and SerialNumber values for the certificate.
    4. Exit and go back to main menu.
    5. Go to option 141 : SAML2SP
    6. Get writable copy of the necessary item
    7. Replace "49:DSigningAlias, 50:DsigVerInfoIssuerDN, 51:DSigVerInfoSerialNumber" with the new values from the new certificate.
    8. Verify the object, and update the object.
    9. Go back to main menu, open option 27: Certificate.
    10. Find the relevant certificate and write down the "CA.FED::Certificate" XID.
    11. Go back to main menu, then option 59: SPPartnership 12. Open the relevant partnership and get a writable copy.
    12. Replace "40: SigningCertLink" with the appropriate "CA.FED::Certificate" option from the step above.
    13. Verify the object, then update the object.
    14. Verify the partnership is being signed with the new certificate.

     

    Good Luck!

    David



  • 4.  Re: SAML Federation - Auto Update of SSL Certs?

    Posted 04-30-2015 06:22 PM

    Awesome.  Johnny, tell the man what he's won! 



  • 5.  Re: SAML Federation - Auto Update of SSL Certs?

    Posted 04-30-2015 07:09 PM

    OOO OOO OOO, I hope it's a jet ski!



  • 6.  Re: SAML Federation - Auto Update of SSL Certs?
    Best Answer

    Posted 05-04-2015 09:51 AM

    Thanks David ! Appreciate the response...