Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Renew SSO certificate in Saviynt UI

Olesia
Regular Contributor
Regular Contributor

‎09/20/2024 03:29 AM

Issue: when upload a new metadata file Saviynt still shows the same expiration date while we have ensured the new certificate is generated.

We encountered the same issue as described here https://forums.saviynt.com/t5/identity-governance/renew-sso-certificate-in-saviynt/m-p/95384/thread-... , and I’m sharing the steps we performed to resolve it.

When you generate a new certificate in EntraID and there are two SAML certificates at the same time, the Metadata XML file contains both certificates. You can easily verify this by checking for multiple <X509Certificate> tags in the file and compare them. Most Identity providers include both the old and new certificates in the metadata for seamless certificate rollover giving time for Service Providers (SPs) to update their configurations. Ref.: https://learn.microsoft.com/en-us/entra/identity-platform/federation-metadata 

 

When this file is uploaded as the IdP file in the SSO configuration page of the UI, Saviynt only recognizes the old certificate.

Olesia_0-1726826493052.png

It appears that Saviynt cannot process multiple certificates in the metadata. If you activate SSO with this "incompatible" file, you will be unable to log in, and the debug log will show the following error: Metadata for entity ... and role ... IDPSSODescriptor wasn't found.

According to the Saviynt Troubleshooting Guide, this error message indicates that the IdP metadata is not in a format supported by Saviynt, so it cannot properly consume the metadata file generated by IdP.

Steps we performed to renew an expiring certificate:

  1. Generate a new certificate only when you are ready to upload it to the SP.
  2. Log in to Saviynt.
  3. Activate the new certificate and delete the old one.
  4. Download the Metadata XML file.
  5. Upload the Metadata XML file to Saviynt as the IdP file.
  6. Save and activate the updated SSO. The system will restart.
  7. Validate the SSO using incognito mode.

Alternative Method (Not Tested):

  1. Generate a new certificate in Idp, but keep it inactive.
  2. Download the Metadata XML file and replace the old certificate with the new one within the <X509Certificate> tag, ensuring only the new certificate remains. Save the file.
  3. Upload the modified XML file to Saviynt as the IdP file, then save and activate the updated SSO.
  4. Activate the new certificate in Idp.
  5. Validate the SSO using incognito mode.
  6. Remove the old certificate from Idp.

Please let me know if these instructions helped you, and whether you tried the second option. I haven't tested it myself, but it might be a better approach as it allows you to keep the old certificate in IdP for a while in case something goes wrong.

For Saviynt:

- add support for multiple certificates

- handle metadata updates automatically - https://ideas.saviynt.com/ideas/EIC-I-5917

 

Labels:
0 Kudos
1 REPLY 1

rushikeshvartak
All-Star
All-Star

‎09/20/2024 03:32 AM

You need to use alternative, currently multiple certificates not supported and idea as mentioned already in place.


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos
Copyright © 2024 Khoros, LLC