Periodically, you'll need to update your SAML Populi IdP certificates. The best way to handle this is to make the updates before the existing certificates expire. Here is a brief guide on how to do that:
Generate new certificates
- Go to Account & Settings > Account Settings > SSO (IdP).
- Under Identify Provider Certificates, click Generate Certificate.
- Download the new certificate by clicking .
Update SAML service providers
Next, you'll update all of your SAML service providers to allow both your new certificate and the old, soon-to-expire certificate. You can let the rotation happen automatically when the old certificate expires. Or you can manually mark the new certificate as the default at any point before then and Populi will immediately begin using it to sign all SAML requests. It's likely best to do this after-hours to avoid any disruption for your school's users.
For any Service Provider which only allows a single Identity Provider Certificate to be uploaded, you'll need to set your new certificate as the default in Populi and then immediately update all single-certificate Service Providers with the new certificate. In this case, it's even more important to do this after-hours—your Service Providers will be temporarily broken until you update them.
If you don't manually update the new certificate as the default, the old certificate will be used until it expires. At that point, a new certificate will be automatically generated and used. However, this will most likely break all your Service Providers, since they will still have the the old expired certificate.
Need help?
As always, if you have any questions or would like help with generating new certificates, please contact Populi Support.
0 Comments