SSO ADFS certificate replacement
Article ID: 321768
Updated On: 12-30-2024
Products
VMware Integrated OpenStack
Issue/Introduction
- ADFS certificate is about to expire and needs to be replaced.
Environment
7.x
Cause
A change of token signing certificate in ADFS will cause both sides to be out of sync in terms of trust. Therefore on VIO side, the metadata must be refreshed in order for SSO login to the domain to resume working again.
Resolution
- Update certificate on ADFS server side.
- Check VIO Management UI and ensure Generic SAML2 insecure is selected.
- Update keystone config to trigger a keystone job rerun.
Example add one more parameter:
#viocli update keystone
conf:
keystone:
DEFAULT:
test: true <<<<
…
#viocli update keystone
conf:
keystone:
DEFAULT:
test: true <<<<
…
- Monitor keystone, keystone federation and some other related jobs which should rerun after change.
root@photon-machine [ ~ ]# osctl get job |grep keystone
helm-keystone-keystone1-########## 1/1 81s 24h
keystone-federation-setup 1/1 10s 24h
keystone-idp-mapping 1/1 9s 24h
keystone-idp-metadata-manage 0/1 4m5s 4m5s
helm-keystone-keystone1-########## 1/1 81s 24h
keystone-federation-setup 1/1 10s 24h
keystone-idp-mapping 1/1 9s 24h
keystone-idp-metadata-manage 0/1 4m5s 4m5s
…
Note: Keystone-api pods are expected to be recreated after keystone jobs complete successfully.
Feedback
Was this article helpful?
Yes
No
Powered by
