Symantec Access Management

Please illustrate all the steps involved to update the expiring IDP certificate through CA SIngle SIgn On Admin UI.

Please suggest if generating a CSR through Admin UI and requesting for certificate renewal and then finally updating the certificate through Admin UI will help us solve this issue ? Please suggest the steps for it. Also is there any way to generate the key with the CSR through Admin UI?

Are there any other steps involved ?

Also please suggest do we need to manually update the IDP certificate details at the SP side.

Thanks.

What version of SiteMinder are you running?

The reason I asked what version is in use is that SiteMinder r12.6 (or maybe 12.7) introduced the ability to specify a Secondary Verification Certificate Alias to make it possible to roll to a new certificate without having to deactivate and then reactivate the partnership.  I would think that operational consideration would be an important aspect of your certificate renewal process.

Hi Richard,

Please correct me if I'm mistaken.

The secondary verification certificate is suppose to be supplied by the federation partner. In case the federation partner (be it SP or IdP) do a cert renewal on their end, we can use the secondary cert that they supplied to verify their signature in saml request or response.

on the flip side, we can provide primary and secondary certs to the federation partner so that they can use both certs to try and verify our signature if and when we do a cert renewal at our end.

Having said that, this seems to be only meant for Signature verification.

The "secondary certificate" mechanism isn't available for encryption and decryption part of the assertion processing flow.

So if anyone implements assertion encryption, and needs to do a cert renewal. A collaborative effort is required between IdP and SP to apply the new cert at the same time and downtime is expected. So there is going to be operational impact in such cases.

regards,

Zen

I hope you are using the certificates from Certificate Authority (CA) instead of self signed certificates. Below are the steps on a high level.

1. Procure new certificate (public key & private key) from your certificate Authority

2. Login to SM Admin UI. Navigate to Infrastructure -> X509 Certificate Management -> Trusted Certificates and Private Keys and import the new certificate.

3. Navigate to the federation partnership and use the newly imported certificate in step # 2

4. export the metadata of the partnership and share it with Service Provider.

5. SP should import the metadata which has the new certificate.

I'm inclined to disagree. Long-lived self-signed certs (I use 15 years expiration) works fine (and dare I say it... better) in federation context.

Unlike typical SSL certs that browsers need to verify, certs for federation use never gets processed by browser as its only for servers' internal processing.

Imagine you setup CA SSO as IdP and federate with 20 or more SP. If all those SP use those paid public Certificate Authority signed certs which has 1 or 2 years expiration at different dates, it will be quite the support nightmare to cater for all those frequent renewals.

If everyone uses long lived self signed certs for federation, we have greater flexibility over mutually agreed dates for cert renewal. Just to be clear, I don't mean use the same cert for 15 years. you should probably renew your cert annually or or bi-annually or tri-annually, whatever your company policy dictates. But at least this way we can plan for it much easily.

https://spaces.at.internet2.edu/display/InCFederation/X.509+Certificates+in+Metadata#X.509CertificatesinMetadata-Requirements

https://wiki.shibboleth.net/confluence/display/CONCEPT/SAMLKeysAndCertificates#SAMLKeysAndCertificates-CreatingaSAMLKeyandCertificate

https://simplesamlphp.org/docs/stable/saml:keyrollover

https://support.google.com/a/answer/6342198?hl=en

https://support.panopto.com/s/article/saml-0 (see point 4)

https://www.oasis-open.org/committees/download.php/56786/sstc-saml-metadata-errata-2.0-wd-05-diff.pdf (Line 697) - this statement somewhat says the specs don’t care if you use self-signed or not.

Just my two cents.

regards,

Zen