Rotating Identity Provider SAML Certificates

Page last updated:

Warning: Pivotal Operations Manager v2.3 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic describes how to rotate SAML service provider (SP) credentials in Pivotal Cloud Foundry (PCF).

Overview

SAML SP credentials are one example of configurable certificates in Pivotal Application Service (PAS). When PAS is configured to use SAML as an IDP, it uses a configurable certificate authority (CA) certificate to authenticate to an external SAML server. The CA generates ephemeral certificates that PAS includes in its outbound request message headers. This CA has a two-year expiration period.

In addition, the Single Sign-On for VMware Tanzu service shares the use of PAS SAML certificates for every SAML external IDP integration, such as trust, partnership, or federation. You must rotate these in lockstep with PAS. For more information about Single Sign-On for VMware Tanzu, see the Single Sign-On for VMware Tanzu documentation.

This topic provides an example of how to rotate certificates for each IDP, including temporarily disabling certificate validation on the IDP side during the rotation.

For more information about rotating SAML certificates, see PCF Advisory - SAML Service Provider Credential Certificates Expire after 2 Years in the VMware Tanzu Knowledge Base.

Prerequisites

SAML SP credentials are only required for your PAS deployment if all of these conditions are met:

  • You are using Single Sign-On for VMware Tanzu in production for login to PAS or using the Single Sign-On for VMware Tanzu service for login to apps.

  • You are using SAML IDPs for PAS or Single Sign-On for VMware Tanzu service plans.

  • You had Ops Manager generate a certificate for you by clicking the Generate RSA Certificate button.

  • You are validating the signature of SAML authentication request with your IDP.

Rotate SAML Certificates

To regenerate and rotate SAML SP certificates without disrupting PAS or your apps using the Single Sign-On for VMware Tanzu service:

  1. Disable certificate validation in your IDP.

  2. For PAS, follow the procedure in the table below that corresponds to your use case. This includes downloading and importing a new certificate and updated SAML metadata in your IDP.

    Solution Name Procedure
    CA Single Sign-On aka CA SiteMinder Configuring CA as an Identity Provider
    PingFederate Configuring PingFederate as an Identity Provider
    Active Directory Federation Services (AD FS) Configuring AD FS as an Identity Provider

  3. For the Single Sign-On for VMware Tanzu service, follow the procedure in the table below that corresponds to your use case. This includes downloading the SAML SP metadata for each SAML IDP integration, such as trust, partnership, or federation, and importing the updated SAML SP metadata in your IDP.

    Solution Name Procedure
    AD FS Configuring a Single Sign-On for VMware Tanzu Service Provider
    CA Single Sign-On for VMware Tanzu Configuring a Single Sign-On for VMware Tanzu Service Provider
    Okta Configure Okta as an Identity Provider
    PingFederate Configure PingFederate as an Identity Provider
    Additional Documentation Integration Guides

  4. Re-enable certificate validation in your IDP.