Hello,
Recently a customer sent us a new IdP metadata file containing their new security certificate - they are switching from Symantec to DigiCert. I ran the ImportMetadata tool from the samples solution provided by ComponentSpace and placed the new certificate file it generated in the folder for my web application. Unfortunately, I’m getting an error message:
The SAML assertion signature failed to verify.
I did not change any of the configuration for the site, since this was supposed to be just a new certificate. Once I got the error I changed a couple things and got different errors. Should this just be plug and play with the new cert or am I totally wrong here?
Hi Matt
It’s possible that the IdP hasn’t switched to the new certificate.
If you revert to the previous certificate does it work?
The ImportMetadata tool supports basic scenarios such as adding new metadata etc.
In your scenario, if they haven’t yet switched the certificate but will soon, you can edit the configuration to specify both certificates.
Under your in saml.config, you should have a PartnerCertificateFile.
I suggest setting this to the new certificate that was imported with ImportMetadata.
Add a SecondaryPartnerCertificateFile to specify the old certificate.
For example:
<PartnerIdentityProvider
Name="“xxxx”
PartnerCertificateFile=“certificates\idp-new.cer”
SecondaryPartnerCertificateFile=“certificates\idp-old.cer”
/>
We’ll attempt to verify the signature using the PartnerCertificateFile.
If that fails, we’ll attempt to verify the signature using the SecondaryPartnerCertificateFile.
Once the IdP has moved to the new certificate you can remove the old certificate from the configuration at your leisure.
[quote][/quote]
Hi Matt
It's possible that the IdP hasn't switched to the new certificate.
If you revert to the previous certificate does it work?
The ImportMetadata tool supports basic scenarios such as adding new metadata etc.
In your scenario, if they haven't yet switched the certificate but will soon, you can edit the configuration to specify both certificates.
Under your in saml.config, you should have a PartnerCertificateFile.
I suggest setting this to the new certificate that was imported with ImportMetadata.
Add a SecondaryPartnerCertificateFile to specify the old certificate.
For example:
<PartnerIdentityProvider
Name=""xxxx"
PartnerCertificateFile="certificates\idp-new.cer"
SecondaryPartnerCertificateFile="certificates\idp-old.cer"
/>
We'll attempt to verify the signature using the PartnerCertificateFile.
If that fails, we'll attempt to verify the signature using the SecondaryPartnerCertificateFile.
Once the IdP has moved to the new certificate you can remove the old certificate from the configuration at your leisure.
It's possible that the IdP hasn't switched to the new certificate.
If you revert to the previous certificate does it work?
The ImportMetadata tool supports basic scenarios such as adding new metadata etc.
In your scenario, if they haven't yet switched the certificate but will soon, you can edit the configuration to specify both certificates.
Under your in saml.config, you should have a PartnerCertificateFile.
I suggest setting this to the new certificate that was imported with ImportMetadata.
Add a SecondaryPartnerCertificateFile to specify the old certificate.
For example:
<PartnerIdentityProvider
Name=""xxxx"
PartnerCertificateFile="certificates\idp-new.cer"
SecondaryPartnerCertificateFile="certificates\idp-old.cer"
/>
We'll attempt to verify the signature using the PartnerCertificateFile.
If that fails, we'll attempt to verify the signature using the SecondaryPartnerCertificateFile.
Once the IdP has moved to the new certificate you can remove the old certificate from the configuration at your leisure.
Is there a minimum version for this feature? I added that configuration parameter and got an error saying that the config was bad. Looks like I have version 2.6.0.7
Version 2.6.0.7 dates back to 2015.
Support was added in v2.6.0.15.
Please contact support@componentspace.com for upgrade information.