SAML Partnership dynamic certificate update for signature in IdP
search cancel

SAML Partnership dynamic certificate update for signature in IdP

book

Article ID: 278091

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction


Is it possible for the SP side of a SAML partnership to dynamically get the IdP certificate update for signature?

 

Resolution


There's no way for the SP side to retrieve dynamically the IdP signing certificate. There's no way to configure a secondary certificate for signing assertions at the IdP.

The main reason being that the IdP should know exactly which certificate to use. IdP can use only one at a time. So, at a given moment, the IdP should be configured to use the new certificate instead of the old one.

This is what will be done when changing the certificate in the AdminUI.

It's possible to configure secondary certificate SiteMinder for SAML request validation only.

That gives flexibility when the Partner plans to change the certificate. The secondary verification certificate works as a fallback one. This avoids the need to change "simultaneously" the certificate on both sides (1).

The concept of secondary verification certificate is available in other Federation Services vendor too, such as Ping (2).

So, sending the new certificate that is planned to set in the IdP configuration with some time before the change, the Partners might be in a position to set it as a secondary validation certificate, and as such, avoid a downtime.

Make the certificate change at the IdP in a low traffic timeframe.
  
Note, from version 12.6 of SiteMinder, there's no need to deactivate the partnership when modifying the certificate (3)(4).

 

Additional Information

 

  1. SAML 2.0 Enhancements for a CA Single Sign-On Service Provider
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-6-01/release-notes/new-features/federation-new-features.html

  2. How do I change a verification certificate in PingOne for Enterprise?
    https://support.pingidentity.com/s/article/How-do-I-change-a-verification-certificate-in-PingOne

  3. Modify Certificate Settings for an Active SAML 2.0 Partnership
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/partnership-federation/signature-and-encryption-configuration-for-federated-partnerships/modify-certificate-settings-for-an-active-saml-2-0-partnership.html
  4. Certificate Configuration Changes to Active SAML 2.0 Partnerships
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-6-01/release-notes/new-features/federation-new-features.html

 

 

Powered by Wolken Software