SAML Signing Certificate Renew Procedure

Overview

This article describe the procedure how to rotate IdP (Shibboleth) certificate renew action as well the impact on Service Providers (NetScaler, StoreFront, or any other service configured via SAML protocol) which are configured.

Once the new signing certificate is updated to Veridium service, the Service Provider will not accept anymore the SAML assertion issued by Veridium IdP.

Renew the Signing Certificate

Once the new certificate is available (issued from Enterprise PKI), it must be uploaded to Veridium through Admin Management Console.

In Settings \ Connectors \ SAML, admin can access SAML IdP configuration

Screenshot 2023-07-11 at 17.07.17.png

There are 2 options how to upload the new certificate.

  1. (Best Practice) In PKCS#12 format, password protected.

PKCS#12 (also known as PKCS12 or PFX) is a common binary format for storing a certificate chain and private key in a single, encryptable file, and usually have the filename extensions .p12 or .pfx.

In order to do, please check “Enable PFX” toggle button as in picture bellow, which will switch the user interface to the upload form in this format.

Screenshot 2023-07-11 at 17.13.03.png
  1. If the Private Key and Public Key are available in PEM format, there is the option to upload as individual files as well.

PEM (originally “Privacy Enhanced Mail”) is the most common format for X.509 certificates, CSRs, and cryptographic keys. A PEM file is a text file containing one or more items in Base64 ASCII encoding, each with plain-text headers and footers (e.g. -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----).

Screenshot 2023-07-11 at 17.15.13.png

Save action will submit the new certificate and Veridium IdP will reload automatically to use the new certificate.

Screenshot 2023-07-11 at 17.29.42.png

Update the Service Providers

Manually update

If Service Provider has been configured by upload of idp_metadata.xml file, this action must be done during the same change session as Renew IdP certificate.

Veridium administrator must download the new metadata file (see picture bellow) and distribute to other services.

Download IdP Metadata.png

Automatic Update

If Service Provider was configured to automatically update the IdP Metadata, no further action is required. The metadata URL will publish immediately after Renew the certificate, the new information at

https://<idp service name>/idp/shibboleth

Citrix Storefront

Citrix StoreFront SAML configuration allow to specify multiple IdP keys. That makes possible to configure the new Public Key of signing certificate and StoreFront will accept both signatures (old and news).

Import the new Public Key to Machine Certificate Store

Screenshot 2022-09-22 at 13.22.48.png
Import new Certificate

Edit the SAML Configuration - Identity Provider

Screenshot 2022-09-22 at 13.24.29.png
Edit Identity Provider of the Citrix StoreFront

Add the new Certificate thumbprint

Screenshot 2022-09-22 at 13.23.12.png

Now, the StoreFront will accept both signatures.

Cleanup should be done after the certificate is renewed in IdP Veridium and the old certificate is not in use anymore.