Conformity SAML 2.0 SSO Certificate Rotation Guide
Conformity supports SSO based on SAML 2.0 standard and uses an RSA key pair to sign SAML login and logout requests. The public certificate of the key is used by some Identity Providers to verify this signature. The same public certificate is optionally used by some Identity Providers to encrypt SAML responses sent to Conformity.
The current Conformity SSO certificate will expire by September 7th, 2020. Follow the instructions on this help page for actions that you may need to take to switch to the new certificate.
SSO identity provider administrators may be required to update the Conformity application configuration on the identity provider side. If your identity provider encrypts SAML responses or verifies the SAML request signature, you will need to switch to the new certificate.
1. Check whether you need to act
As an Admin user in Conformity, sign in using SSO either from the Enterprise sign-on page or directly from your identity provider’s dashboard. You will see a warning if your identity provider is using an old certificate and needs to be updated, as shown in the screenshot below:
2. Acquire the new certificate or service provider metadata
Depending on the type of identity provider you use, you will either find a field for service provider metadata, or one or more fields for Encryption Certificate and Signature Certificate.
3. Update your identity provider configuration
Upload the Service provider metadata.
Upload the certificate for Signature and the certificate for Encryption (if required) to Conformity application on your identity provider. We support both the old certificate and the new until the old certificate expires, so there won’t be any interruption to your service while you switch over.
4. Verify configuration
As an Admin user in Conformity, sign in using the updated SSO configuration either from the new Enterprise sign-on page (Note `certificate=new` in the URL) or directly from your identity provider dashboard. If the warning you saw in step 1 is no longer present, your new configuration is working as expected.
You can contact our Customer Success team directly via firstname.lastname@example.org with ‘SSO Certificate Rotation’ in the subject line if you run into any issues or require further assistance.