Authentication

How to prepare for a SAML2 certificate change

396 views August 1, 2019 August 1, 2019 1

Identity provider (IdP) metadata from Signicat can be found on this URL:

https://{env}.signicat.com/gateway/{servicename}/saml2/metadata

When Signicat changes the SAML certificate on Signicat’s side, the metadata will automatically be updated with the new SAML certificate.

Signicat changes the SAML certificate every odd year. The Service Provider (SP) must therefore implement and plan for a certificate switch together with Signicat. If the IdP signs the SAML messages with a certificate that the Service Provider does not trust, authentication will fail.

Some Service Provider software products support having multiple certificates installed at once, others rely on a synchronous switch. If your software requires the latter, we recommend agreeing on a suitable time for the switch with Signicat Support to reduce risks.

How to change the certificate in the metadata manually

An example of Signicat IdP metadata looks like this:

(example from https://preprod.signicat.com/gateway/demo/saml2/metadata)

<md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
	<md:EntityDescriptor entityID="https://preprod.signicat.com/gateway/demo/saml2/metadata">
		<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
			<md:KeyDescriptor>
				<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
					<ds:X509Data>
						<ds:X509Certificate>MIIDuzCCAqOgAwIBAgIBGTANBgkqhkiG9w0BAQsFADBJMQswCQYDVQQGEwJOTzEUMBIGA1UEChML U2lnbmljYXQgQVMxJDAiBgNVBAMTG1NpZ25pY2F0IEV4dGVybmFsIENBICgyMDQ4KTAeFw0xOTA1 MDMxMzUzNThaFw0yMTA1MDIxMzUzNThaMHgxCzAJBgNVBAYTAk5PMQ8wDQYDVQQIDAZOb3J3YXkx EjAQBgNVBAcMCVRyb25kaGVpbTERMA8GA1UECgwIU2lnbmljYXQxETAPBgNVBAsMCFNpZ25pY2F0 MR4wHAYDVQQDDBV0ZXN0LnNpZ25pY2F0LmNvbS9zdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQC5nM8y4WChls6+3diLpcCmXoxcWakzS0TRnA1P01mRe77jidon7rXWmF1ZXrGllFv6 D1uXAT5mPdTNTY5yn5pkjNxuhfRv804l01rP3Pr695zIGB4CR+BPKQZ03Pjb8SEwF9sRSk4t5uyF w+HUnY7D3Q76Ub/5A51FU5/s0zrkovgW85e1bJfuqd48hWr+oGmfyx4L2Y8oh2AAuoMN0lV/rD4C d6HrLPv6M4CHIlbwbgouX1bASe7J9k8euhMt4J0xpngS5Ui4/nZnanRWmFT2l4rYOzkLrh5ICSBq gAgQmJa2adiRveH2JYfv0iQhIZCRIo/9hfFPS+hr2HC8Wqk3AgMBAAGjfzB9MAkGA1UdEwQCMAAw CwYDVR0PBAQDAgXgMCMGCWCGSAGG+EIBDQQWFhRTaWduaWNhdCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E FgQU2aBHKuzZiHt18CH7nzQOVn+cS/wwHwYDVR0jBBgwFoAUstl+DZ605NwX3br661U41SHRS/Yw DQYJKoZIhvcNAQELBQADggEBAB5A+U2YqB9ynevJkEOAcZEyBLay3XNAJhYvUSWgJz5pnnWrgRrv 5Zir/yH6Nw5Z0NynLoQQqNhpl5zNI8HyvYc1eWGD+fbdD5/l+BGUYmcscOXQW8WMo/G9F+I9AVoy BAs1tjyjbTlRCcCFOCziPJfbBCAF5/hFOWeMCQ/XeZNLZ2CgCrjUInSQQtukY3kB7x6jwqRTBefx 0MtrSGGQVQfNeTztI9Dyqlko8hJEWQLFdDJp1dSJnz7xVtuqXqrUEQYXb1b7KG3Kc3Wx+e7Pxbhr eM2J0XNXDWORJ02vtZ+L1h/vV2feI7K0riP/wUZY+aGopCMGp4c0V/D5UCZGN7w=</ds:X509Certificate>
					</ds:X509Data>
				</ds:KeyInfo>
			</md:KeyDescriptor>
			<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://preprod.signicat.com/gateway/demo/saml2/ars/soap" index="0" isDefault="true" />
			<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://preprod.signicat.com/gateway/demo/saml2/slo/browser" />
			<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://preprod.signicat.com/gateway/demo/saml2/slo/browser" />
			<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://preprod.signicat.com/gateway/demo/saml2/sso/browser" />
			<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://preprod.signicat.com/gateway/demo/saml2/sso/browser" />
		</md:IDPSSODescriptor>
	</md:EntityDescriptor>
</md:EntitiesDescriptor>

Locate the <ds:X509Data> tag and exchange this content with the new certificate supplied by Signicat.

New certificate can be found here.

It is enough to open the certificate and the metadata in your text editor and replace the certificate.

If you are uncertain or have problems with this process, feel free to reach out to support@signicat.com and Signicat Support will assist in updating the metadata.

Was this helpful?