AnsweredAssumed Answered

Certificate rollover for token signing in SM12.52 - ADFS pain

Question asked by ffc on Jul 28, 2017
Latest reply on Jul 31, 2017 by Patrick-Dussault

Hi there,


we've been setting up several new partnership federations lately, where we use CA SSO 12.52 SP1 CR04 as a Service Provider to serve multiple Identity Providers implemented with different technologies, but always sticking to SAML2.0.


One of our IDPs is using Microsoft ADFS and we had a hard time explaining them that the federation stopped working when their token signing certificate was automatically replaced by some procedure that puts a new certificate online to be downloaded with metadata. Appearently they were assuming we could automatically download and install the new certificate without any notification.


They say their ADFS will do the certificate rollover without intervention,assumed our Siteminder would do the same, and even if they are willing to alert us on new certificate release, the fact that is the ADFS itself that substitute them without intervention would prevent them to agree with us a coordinate action to reduce the outage. 


I came across a feature that's from SM 12.6:


  • Signing key rollover support using secondary verification certificates—You can configure a secondary verification certificate alias at the IdP and SP to verify the signatures on messages. A remote entity can issue a new verification certificate any time. The reasons can include a key being compromise, certificate expiry, or a change in key size. Specifying a secondary verification certificate eliminates the need to coordinate system-wide updates of signing and verification certificates simultaneously. 

    An entity first tries to verify the message signature with the primary certificate. If the verification fails, the entity uses the secondary certificate for signature verification. The Secondary Verification Certificate Alias field is configurable in the remote IdP and SP configurations and in the Signature and Encryption step of any SAML 2.0 partnership. To aid in troubleshooting, log messages have been added to the Policy Server trace log, smtracedefault.log. Refer to the instructions for configuring an SP-to-IdP partnership to enable these new features.

No secondary certificate option is available for encryption



It seems the perfect feature to ease the problem, since this would allow us to load the new certificate in advance and whenever the IDP ADFS rolls the old one away, our Service Provider would be already fitted with the new one and there would be no outage at all.


Unfortunately I found news about this feature on v. 12.6 but we are still on 12.52 SP01CR04.


Does anyone know of similar possibilities on 12.52 SP1 CRxx? I could plan a quick in-place upgrade to a greater CR than the currently installed 04 but it's a bit more complicated do jump to a newer major release.


Are there any possibilities to backport the feature to 12.52SP1 by any means? that would be a life-saver for us, since I see more and more ADFS partnership upcoming...


Thank you all!