In a SAML 2.0 federation, Identity Server and the service provider sign their messages using their respective signing certificates. These message signatures are verified by both trusted providers before processing a SAML 2.0 request. If these signing certificates expire, the federation does not work as expected. The administrators need to exchange the new certificates to resume federation services. When the signing certificate expires, the administrator needs to update the certificates and the metadata that results in interruption of the services, impacting the business continuity.
To continue with the services of SAML 2.0 service providers without impacting the continuity of the services, Access Manager provides the following provisions:
You can add an additional signing certificate as a secondary certificate that will be used when the default signing certificate expires. For example, if the default certificate is valid from January to June and secondary certificate is valid from May to October. When the default certificate expires in June, Identity Server automatically starts using the secondary certificate. Hence, there is no interruption in federation service between the service provider and Identity Server.
For information about adding a secondary certificate, see Configuring Communication Security for a SAML 2.0 Service Provider and Editing a SAML 2.0 Service Provider’s Metadata.
After modifying any settings of SAML 2.0 trusted service providers in Identity Server, you can update the modified settings of trusted provider instead of updating the complete Identity Server cluster configuration. Updating all Identity Server cluster configurations takes a longer time, which interrupts the services of the service provider. Access Manager updates the changes done for SAML 2.0 trusted providers without impacting other configurations of the Identity server cluster.
To update settings of a trusted service provider, perform the following steps:
Click Devices > Identity Servers.
Click Update All next to the required Identity Server or cluster.
The SAML2 Trusted Provider Update option is selected. This option ensures that only the settings that are changed in Identity Server for the SAML 2.0 trusted provider are updated.
IMPORTANT:
This option is displayed for updating Identity Server when a trusted service provider setting is changed without changing Unique ID and Provider ID.
If you modify a certificate that is assigned to multiple service providers, the certificate will be changed for other service providers also even when a specific SAML 2.0 trusted provider is updated.
If you change the Attributes setting, you must update Identity Server.
Click OK to update with the specified option.
This ensures that the services are operational immediately because updating the specific trusted service provider settings take lesser time than updating an Identity Server cluster.