Secure Access Help Center

SAML Certificate Renewal Options

A SAML identity provider (IdP) may require the verification of a service provider's request signing certificate. When you integrate a SAML IdP with Secure Access, you may have to import the Secure Access certificate information in to your IdP platform.

Note: Many IdPs do not validate SAML request signatures and therefore these steps are not required. We recommend that you contact your IdP for confirmation.

There are two options for importing the certificate information into your IdP: Automatic Configuration and Manual Import.

Known Limitations

If you have multiple Secure Access organizations and use the Secure Access multiple-Org SAML EntityID, then you must not use the URL-based metadata update mechanism. The Multiple-Org SAML Entity ID only applies if you have multiple Secure Access organizations linked to the same IdP. In this scenario you should manually add the Secure Access request signing certificate to each IdP configuration.

Automatic Configuration Through the Fixed Metadata URL

This option is the preferred configuration method for IdPs that support automatic updates of metadata through an URL. This includes popular IdPs such as AD FS and Ping Identity. The benefit is that the IdP automatically imports a new Secure Access certificate each year without manual intervention.

Prerequisites

  • An IdP that supports automatic updates of a service provider's metadata from a URL, for example: AD FS and Ping Identity.
  • Your IdP platform can read the Secure Access metadata URL:
    • https://api.sse.cisco.com/admin/v2/samlsp/certificates/Cisco_SSE_SP_Metadata.xml
  • Your IdP platform can read the associated Certificate Authority URLs:
    • http://r3.o.lencr.org
    • http://r3.i.lencr.org
  • Your IdP platform must support TLS 1.2 in order to connect to the Secure Access metadata URL securely. If the IdP application utilizes .NET framework 4.6.1 or earlier this may require some further configuration. See Microsoft's documentation.

Manual Import of the Secure Access Signing Certificate

This option is for IdPs that do not support automatic updates of the SAML metadata. You must import the new Secure Access signing certificate each year in to your identity provider.

Configure OpenAM for SAML < SAML Certificate Renewal Options > Test SAML Identity Provider Integration

Updated 5 months ago