|   Trend Micro Cloud One™
Open menu

Conformity SAML 2.0 SSO Certificate Rotation Guide

Introduction

Conformity supports SSO based on SAML 2.0 standard and uses an RSA key pair to sign SAML login and logout requests. The public certificate of the key is used by some Identity Providers to verify this signature. The same public certificate is optionally used by some Identity Providers to encrypt SAML responses sent to Conformity.

Purpose

The current Conformity SSO certificate will expire by September 7th, 2020. Follow the instructions on this help page for actions that you may need to take to switch to the new certificate.

Audience

SSO identity provider administrators may be required to update the Conformity application configuration on the identity provider side. If your identity provider encrypts SAML responses or verifies the SAML request signature, you will need to switch to the new certificate.

Guide

1. Check whether you need to act

As an Admin user in Conformity, sign in using SSO either from the Enterprise sign-on page or directly from your identity provider’s dashboard. You will see a warning if your identity provider is using an old certificate and needs to be updated, as shown in the screenshot below:

2. Acquire the new certificate or service provider metadata

Depending on the type of identity provider you use, you will either find a field for service provider metadata, or one or more fields for Encryption Certificate and Signature Certificate.

3. Update your identity provider configuration

  1. Create a backup of the existing identity provider configuration.
  2. Upload the Service provider metadata.

    or

    Upload the certificate for Signature and the certificate for Encryption (if required) to Conformity application on your identity provider. We support both the old certificate and the new until the old certificate expires, so there won’t be any interruption to your service while you switch over.

Note: Most Microsoft ADFS and Keycloak setups can use metadata, while Okta and other identity providers need the certificate directly. You can use the same certificate for both signing and encryption if required.

4. Verify configuration

As an Admin user in Conformity, sign in using the updated SSO configuration either from the new Enterprise sign-on page (Note `certificate=new` in the URL) or directly from your identity provider dashboard. If the warning you saw in step 1 is no longer present, your new configuration is working as expected.

<If you sign in to Conformity using Enterprise sign-on page (SP-initiated SSO), you will need to inform your users to use the new Enterprise sign-on page after updating your SSO configuration.>

Troubleshooting

  • Make sure you are signed in as an admin in Conformity and can access the “Administration” link on the top navigation.
  • Make sure you sign in to Conformity via your identity provider and not directly using username and password.
  • Verify SHA-256 signature of the certificate you downloaded. New certificate SHA-256 signature: dfc3a71e13c399951b6d7c22b571da8e28f291ad1cba45945f12db08516bca7c

If you have difficulty signing in after updating the SSO configuration, you can revert to the previous certificate and previous metadata to unblock access.

You can contact our Customer Success team directly via support@cloudconformity.com with ‘SSO Certificate Rotation’ in the subject line if you run into any issues or require further assistance.