Conformity Saml 2.0 Sso Certificate Rotation Guide
Trend Micro Cloud One™ – Conformity supports SSO based on SAML 2.0 standard and uses an RSA key pair to sign SAML login and logout requests. The public certificate of the key is used by some Identity Providers to verify this signature. The same public certificate is optionally used by some Identity Providers to encrypt SAML responses sent to Conformity.
The current Conformity SSO certificate will expire by September 7th, 2020. Follow the instructions on this help page for actions that you may need to take to switch to the new certificate.
SSO identity provider administrators may be required to update the Conformity application configuration on the identity provider side. If your identity provider encrypts SAML responses or verifies the SAML request signature, you will need to switch to the new certificate.
1. Check whether you need to act
As an Admin user in Conformity, sign in using SSO either from the Enterprise sign-on page or directly from your identity provider’s dashboard. You will see a warning if your identity provider is using an old certificate and needs to be updated, as shown in the screenshot below:
2. Acquire the new certificate or service provider metadata
Depending on the type of identity provider you use, you will either find a field for service provider metadata, or one or more fields for Encryption Certificate and Signature Certificate.
- The new public certificate is available here: Conformity SAML 2.0 X.509 signing and encryption certificate and is valid until August 17th, 2023.
- SAML service provider metadata is available here: Conformity SAML 2.0 service provider metadata / https://us-west-2.cloudconformity.com/v1/sso/saml/metadata.xml?certificate=next
3. Update your identity provider configuration
- Create a backup of the existing identity provider configuration.
- Upload the Service provider metadata.
Upload the certificate for Signature and the certificate for Encryption (if required) to Conformity application on your identity provider. We support both the old certificate and the new until the old certificate expires, so there won’t be any interruption to your service while you switch over.
Note: Most Microsoft ADFS and Keycloak setups can use metadata, while Okta and other identity providers need the certificate directly. You can use the same certificate for both signing and encryption if required.
4. Verify configuration
As an Admin user in Conformity, sign in using the updated SSO configuration either from the new Enterprise sign-on page (Note `certificate=new` in the URL) or directly from your identity provider dashboard. If the warning you saw in step 1 is no longer present, your new configuration is working as expected.
- Make sure you are signed in as an admin in Conformity and can access the “Administration” link on the top navigation.
- Make sure you sign in to Conformity via your identity provider and not directly using username and password.
- Verify SHA-256 signature of the certificate you downloaded. New certificate SHA-256 signature: dfc3a71e13c399951b6d7c22b571da8e28f291ad1cba45945f12db08516bca7c
You can contact our Customer Success team with 'SSO Certificate Rotation' in the subject line if you run into any issues or require further assistance.