Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/20/2024 03:29 AM
Issue: when upload a new metadata file Saviynt still shows the same expiration date while we have ensured the new certificate is generated.
We encountered the same issue as described here https://forums.saviynt.com/t5/identity-governance/renew-sso-certificate-in-saviynt/m-p/95384/thread-... , and I’m sharing the steps we performed to resolve it.
When you generate a new certificate in EntraID and there are two SAML certificates at the same time, the Metadata XML file contains both certificates. You can easily verify this by checking for multiple <X509Certificate> tags in the file and compare them. Most Identity providers include both the old and new certificates in the metadata for seamless certificate rollover giving time for Service Providers (SPs) to update their configurations. Ref.: https://learn.microsoft.com/en-us/entra/identity-platform/federation-metadata
When this file is uploaded as the IdP file in the SSO configuration page of the UI, Saviynt only recognizes the old certificate.
It appears that Saviynt cannot process multiple certificates in the metadata. If you activate SSO with this "incompatible" file, you will be unable to log in, and the debug log will show the following error: Metadata for entity ... and role ... IDPSSODescriptor wasn't found.
According to the Saviynt Troubleshooting Guide, this error message indicates that the IdP metadata is not in a format supported by Saviynt, so it cannot properly consume the metadata file generated by IdP.
Steps we performed to renew an expiring certificate:
Alternative Method (Not Tested):
Please let me know if these instructions helped you, and whether you tried the second option. I haven't tested it myself, but it might be a better approach as it allows you to keep the old certificate in IdP for a while in case something goes wrong.
For Saviynt:
- add support for multiple certificates
- handle metadata updates automatically - https://ideas.saviynt.com/ideas/EIC-I-5917
09/20/2024 03:32 AM
You need to use alternative, currently multiple certificates not supported and idea as mentioned already in place.