SMP3: How to renew self signed SAML service provider certificate?
Are you using SAML authentication flow in your SMP 3.0 application? Is that generated certificate self-signed one (by SMP itself) ? Did you already know its expiration date? Or has it already expired? And now, user can’t be on-boarded on SMP.
(we had same situation. So hereby, i am sharing what all we did to get rid of it)
There are many blogs on how SAML Flow works and how to configure it. I am not going to explain it here.
In order SAML flow to work, initially, metadata file of Local service provider (here its SMP) needs to be shared with Identity provider team. You provide a LSP name, Base URL (e.g. https://server:port).
Next, what about values for signing key and signing certificate?
Option A: Either you can go with by just clicking on ‘Generate key pair’ option to get these values filled automatically (SMP does this work) Not recommended for productive environment
Option B: Generate these values from a Certificate Authority (recommended for productive environment)
In this case, from where SMP takes default inputs and generate self signed certificate?
To check this, Go to Settings > System > scroll down > SAML SERVICE PROVIDER CERTIFICATE GENERATOR SETTINGS
Here you can see that, there are default values for the subject, certificate is valid only for 1 year
(you still not sure when that generated certificate is going to be expired, here is a quick way to check. Copy the ‘Signing certificate‘ content in a notepad and save it as .cer , double click on certificate file)
We were told by IdP team that they are seeing error with the SMP LSP metadata file.
Unable to validate SAML2 Trusted Service Provider. The trusted relationship with this entity will not be functional!
Error Validating X509 Certificate of Trusted Provider
Trusted Provider Type: SAML2 Trusted Service Provider
Trusted Provider Id: SAMLTEST
Error Validating X509 Signing Certificate
X509 Certificate Version: 3
X509 Certificate Subject: C=DE L=Walldorf O=SAP SE
X509 Certificate Issuer: C=DE L=Walldorf O=SAP SE
X509 Certificate Serial Number: xxxxx
X509 Certificate Start Date: 2015-05-20 10:18:28
X509 Certificate Expiration Date: 2016-05-20 10:18:28
X509 Certificate Validation Root Exception: com.novell.nidp.NIDPException: Certification path could not be validated. Could not validate certificate: NotAfter: Fri May 20 10:18:28 CEST 2016 Root Cause: java.security.cert.CertPathBuilderException: Certification path could not be validated.
Then we figured out the issue (already highlighted above) that generated certificate had expired.
How to renew it?
- Increase number of years to 1 or 2 or as much as you want 😉
- Save it
- Generate new keypair
- download new metadata file
- share it with IdP team
Note: Even you can provide your company specific subject also (we went with default parameters)
Before step#4, download new metadata file, you can validate above settings:
- Copy signing certificate content in a notepad
- save it with .cer extension
- double click on it and confirm
Here, everything looks fine and now you can share new metadata file with IdP team.
Option B: Talk to your CA team.
Hope this helps.
Thanks Andreas Wegmann for your inputs.