Handling IDP Key Rotation in AM 2.0
Objective
A signing certificate is a crucial component in securing SAML communications, ensuring that authentication requests and responses are trusted. This document provides guidance on the changes needed to Access Management 2.0 (AM 2.0) to handle a SAML signing key change on the IDP side. By completing this activity, we will maintain the integrity and security of our SAML authentication process, avoid service disruptions, and ensure a smooth, secure transition to the new certificate.
Note: In AM 1.0, a simple restart of authserver pods would fetch the latest certificate information from the IDP metadata URL and handle the change. However, this is not the case with AM 2.0.
Before you begin
You will need access to the AM 2.0 Admin Console.
Steps
Follow the steps below to incorporate the change in the SAML signing key made on the IDP side.
Log in to the AM 2.0 Admin Console. Select the maactive realm.
Note: If you have Restricted Admin Access on AM 2.0, then use the URL:
https://<stack_name>-auth.<domain_name>/auth/admin/maactive/console/The Admin Console will appear as shown below:
Now, click on the Identity providers tab on the left panel and select the IDP provider for which you would want to change the IDP signing certificate.
Scroll down in this IDP configuration. For the SP to be able to validate the signatures, you should have the Want Assertions Signed and Validate Signatures fields toggle switched ON.
Next, update the IDP certificate on the SP side. Clear out the certificate that is already present on AM 2.0 from the field Validating X509 certificates. Paste a valid X509 certificate that the SP should now start using to validate the assertions coming from IDP.
Hit the Save button at the bottom.
You should be able to successfully set a new IDP signing certificate on the SP side.
Note: No component restart is required to reflect this change.
Author
Shipra Choudhary: Tech Lead, Security, Manhattan Active® Platform, R&D.
Feedback
Was this page helpful?