SAML Certificate Renewal Options

A SAML identity provider (IdP) may require the verification of a service provider's request signing certificate. When you integrate a SAML IdP with Secure Access, you may have to import the Secure Access certificate information in to your IdP platform.

Note: Many IdPs do not validate SAML request signatures and therefore these steps are not required. We recommend that you contact your IdP for confirmation.

There are two options for importing the certificate information into your IdP: Automatic Configuration and Manual Import.

Known Limitations

If you have multiple Secure Access organizations and use the Secure Access multiple-Org SAML EntityID, then you must not use the URL-based metadata update mechanism. The Multiple-Org SAML Entity ID only applies if you have multiple Secure Access organizations linked to the same IdP. In this scenario you should manually add the Secure Access request signing certificate to each IdP configuration.

Automatic Configuration Through the Fixed Metadata URL

This option is the preferred configuration method for IdPs that support automatic updates of metadata through an URL. This includes popular IdPs such as AD FS and Ping Identity. The benefit is that the IdP automatically imports a new Secure Access certificate each year without manual intervention.

Prerequisites

• An IdP that supports automatic updates of a service provider's metadata from a URL, for example: AD FS and Ping Identity.
• Configure your IdP platform to read one of the following Secure Access metadata URLs for encrypted or unencrypted SAML assertions:
  • Encrypted:
    • <https://api.sse.cisco.com/admin/v2/samlsp/certificates/Cisco_SSE_SP_Metadata_with_Encryption.xml>
  • Unencrypted:
    • https://api.sse.cisco.com/admin/v2/samlsp/certificates/Cisco_SSE_SP_Metadata.xml
• Your IdP platform can read the associated Certificate Authority URLs:
  • http://r3.o.lencr.org
  • http://r3.i.lencr.org
• Your IdP platform must support TLS 1.2 in order to connect to the Secure Access metadata URL securely. If the IdP application utilizes .NET framework 4.6.1 or earlier this may require some further configuration. See Microsoft's documentation.
• For information on prerequisites that apply to all SAML IdPs, see Prerequisites for SAML Authentication.

Manual Import of the Secure Access SAML Certificate

If your IdP does not support automatic update of SAML metadata, then you must import a new Secure Access signing certificate each year into your IdP. If you are using encrypted SAML assertions, then you must import a new Secure Access encryption certificate each year into your IdP.

Export Secure Access SAML signing and encryption certificates from Connect > Users and Groups > Configuration Management. For more information about certificate export and import procedures for specific IdPs, see the following pages:

• Configure Azure AD for SAML
• Configure Okta for SAML
• Configure AD FS for SAML
• Configure Duo Security for SAML
• Configure Ping Identity for SAML
• Configure OpenAM for SAML

Configure OpenAM for SAML < SAML Certificate Renewal Options > Test SAML Identity Provider Integration