SAML Signing Certificate expiration
Hello,
Our sysadmins have let me know that our SAML signing certificate in Azure for TDX is expiring soon. We use SAML Metadata for our SSO configuration. I'm told that the steps outlined on https://solutions.teamdynamix.com/TDClient/1965/Portal/KB/ArticleDet?ID=142682 do not apply. What, if anything do we need to do to ensure we don't lose SSO access? I've been informed that the InCommon info at https://solutions.teamdynamix.com/TDClient/1965/Portal/KB/ArticleDet?ID=4019 is also unrelated.
Any info that I can pass along to our sysadmins is greatly appreciated.
Thank you,
Pam
Answer (1)
Hi Pamela,
Here is what I would suggest:
- At any point before your renewal date, add the new (future) AAD token encryption cert to your AAD app for TDX auth. Do not set the token as active, just add it as an inactive second cert. The AAD app at this point should still be using the old cert to actively encrypt assertions because it is the active one. The new cert is just there as a future option. I recommend doing this at least one day before you want the new future cert to be active.
- Since Azure AD releases all of the token encryption certs listed, active or inactive, within 2-4 hours of you completing the above step, TDX will poll the live AAD metadata URL and obtain both certs. Once we have both certs, we can understand token encryption from either one.
- At any point at least one day after Step 1, you can change which token encryption certificate is active. TeamDynamix will still have both certs, but logins headed for us will simply try against both and see the new cert is needed. No downtime.
If you choose to instead only put the new cert in on the day of expiration, you may have a 2-4 hour window where you cannot log into TDX. Existing logins would be fine but new ones would fail.
Let us know if you have any questions!
Best,
Brittany Renn
TDX Support