Symantec Access Management

  • 1.  Updating SAML IDP Certificate for 50+ partnerships

    Posted Feb 26, 2016 11:04 AM

    Our SAML IDP Signing certificate is about to expire.  We are running Siteminder 12.51, and are wondering if anyone has any experience updating this certificate when it is in use by pretty much every IDP->SP partnership we have. Question I have:

    1. I have requested a new CSR based on the existing certificate, and plan to click "update certificate" when the signed public key is returned.  Will it be possible to update this certificate while it is in use by all of the partnerships?

    2. If #1 does not work, has anyone done this a different way?  I would really like to avoid having to Deactivate-->Change signing keys-->re-active each partnership where this is assigned as the signing certificate.

     

    Of course, any other insights anyone could provide would be much appreciated.

     

    Thanks!

    Dave



  • 2.  Re: Updating SAML IDP Certificate for 50+ partnerships
    Best Answer

    Posted Apr 05, 2016 03:12 AM

    Answer:

    #1 will work. You just need to update the certificate by click "update certificate" and not need to deactivate or reactivate the partnership. Those partnership reference this certificate via the alias name. Your renewal will be the same name but different Serial number.

    Important: remember to restart the policy server after the certificate update to take into effect.

     

    If I've answered your question please mark my response as the Correct Answer.