Table of contents

Conformity SAML 2.0 SSO Certificate Rotation Guide

Introduction

Trend Micro Cloud One™ – Conformity supports SSO based on SAML 2.0 standard and uses an RSA key pair to sign SAML login and logout requests. The public certificate of the key is used by some Identity Providers to verify this signature. The same public certificate is optionally used by some Identity Providers to encrypt SAML responses sent to Conformity.

Purpose

The previous Conformity SSO certificate expired on August 17th, 2023. Follow the instructions on this help page to switch to the new certificate.

Audience

SSO identity provider administrators may be required to update the Conformity application configuration on the identity provider side. If your identity provider encrypts SAML responses or verifies the SAML request signature, you will need to switch to the new certificate.

Guide

1. Acquire the new certificate or service provider metadata

Depending on the type of identity provider you use, you will either find a field for service provider metadata, or one or more fields for Encryption Certificate and Signature Certificate.

2. Update your identity provider configuration

  1. Create a backup of the existing identity provider configuration.
  2. Upload the Service provider metadata.

    or

    Upload the certificate for Signature and the certificate for Encryption (if required) to Conformity application on your identity provider. We support both the old certificate and the new until the old certificate expires, so there won’t be any interruption to your service while you switch over.

Note: Most Microsoft ADFS and Keycloak setups can use metadata, while Okta and other identity providers need the certificate directly. You can use the same certificate for both signing and encryption if required.

3. Verify configuration

As an Admin user in Conformity, sign in either from the Enterprise sign-on page or directly from your identity provider dashboard.

Troubleshooting

  • Make sure you sign in to Conformity via your identity provider and not directly using username and password.
  • Verify SHA-256 signature of the certificate you downloaded. New certificate SHA-256 signature: 36e8b6f717a441de375bfbff6b3af83348b90b52a8f4408a5b6ae8c5674e3ddc

You can contact our Customer Success team with 'SSO Certificate Rotation' in the subject line if you run into any issues or require further assistance.