264 views

How to safely self-update your IDP certificates and avoid future "IDP Certificate Mismatch" errors

Problem

Several Identity providers (IdP) servers (for example, ADFS) could change the active certificates 2-4 weeks before the certificate expires, causing alerts and authentication errors on your Multi-SSO configuration. Once the certificate changes, you will need to update all the instances to avoid SSO authentication errors when users are trying to login in.

Symptoms

Your know you can self update your SSO certificates because

  • You have Multi SSO plugin installed.
  • Your IdP metadata URL is accessible from the instance.
  • Users  received an error message when trying to login and they are sent to a logout page.
  • System logs show a "IDP Certificate Mismatch" error when users are trying to login.
  • Once the instance SAML certificate is updated by the one provided by the IDP, the users are able to login once again.
Cause

Your Idp has changed the signing certificate and the instance can not confirm the SAML requests received from the IdP.

Resolution

From Kingston release, there is a schedule job "Refresh MultiSSO IDP Metadata" that could fetch the IdP metadata from the IdP metadata URL set on the IdP record and update its certificates automatically.

To allow the system to automatically refresh the certificates from the IdP metadata, you need to ensure the Idp metadata URL is accessible from the instance. If that is not the case, you will need to continue updating the certificate manually everytime the Idp changes them.

If you have an accessible metadata URL, you need to perform the followings:

  1. Open the IdP record on the list view (NOT from the menu named Identity providers but on the SAML2 table):
    e.g. <instance>/saml2_update1_properties_list.do?sysparm_query=

    Ensure the IDP is active and set the "IDP Metadata URL" (saml2_update1_properties.idp_metadata_url) to the URL that point to the IDP metadata (which contains the signing certificates).
    For ssocircle is "https://idp.ssocircle.com/"

    Set the URL to retrieve the IdP metadata
  2. Ensure the Scheduled Script Executions "Refresh MultiSSO IDP Metadata" is active and running every 30 minutes:
    <instance>/sysauto_script_list.do?sysparm_query=name%3DRefresh%20MultiSSO%20IDP%20Metadata
    Scheduled script executions active
  3. Validate the schedule job is executing correctly. You will see the certificates are updates every 30 minutes.

 That is all. Now, you will have your certificates updated every 30 minutes.

Warning: The update could retrieve both your encryption and signing certificates. However, Multi SSO only uses the signing certificates only.

 

Here are a few references regarding the IdP metadata URLs:

  • For SSO Circle, the metadata is found here: https://idp.ssocircle.com/
  • For OKTA, the generic format of the SAML metadata url is: https://[okta_org_url].okta.com/app/[app_id]/sso/saml/metadata
  • For ADFS, the metadata is usually on https://<adfs URL>/FederationMetadata/2007-06/FederationMetadata.xml
  • For Azure, https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml

Please contact your IdP administrators to validate the correct metadata URL required.

 

Article Information

Last Updated:2018-02-27 14:10:21
Published:2018-02-27