SAML 2.0 - Automate certificate renewal.

jancaasi · ‎10-05-2017

Hi Guys,

I would like to hear your opinion on this. I'm planning to automate the SAML 2.0 certificate. Below is my plan:

1. Turn on debug logging for SAML 2.0 Authentication.

2. Capture the certificate in the system logs. Look for the SAML Response xml: in the message.

3. Compare the XML in the system logs and in the SAML 2.0

4. If both of them are different, update the existing certificate. Vice versa.

My question would be the disadvantages in doing this. Any help or opinion will be appreciated.

Thanks,

Jan Raphael Caasi

henry_cheng · ‎10-05-2017

Hi Jan,

If your certificate is in PEM format then you can use your automatic script to copy the certificate contents to replace the current one. There is no demerit.

But you should be careful when you have multiple IdP servers configured and multiple SAML certificates are being used in one IdP record.

In this case you also need to grab the IdP URL from the SAML response first to know for which IdP server you will update the certificate. Also if multiple certificates are linked to that IdP server you also need to grab the domain information for that certificate as well to make sure you are updating the correct certificate.

Cheers

Henry

jancaasi · ‎10-05-2017

Hi Henry, Thanks for the response. We don't have multiple LDP servers and SAML certificates so I think we are good to go. 🙂 Regards, Jan Raphael Caasi

jancaasi · ‎10-15-2017

Any other ideas or suggestion aside from mine? Regards, Jan Raphael Caasi