Updating the SAML Session Provider assertion signing key store

During the SAML Session Provider installation, assertion signing keys are generated. The corresponding assertion signing certificate is configured in the Identity Provider to enable validation of signed messages from the SAML Session Provider.

The validity of the assertion signing certificate is ten years. Renew the certificate when the expiry date is reached or when the certificate is corrupted.

Note: To renew the signing key store, the minimum SAML Session Provider version is 1.13.42.
  1. Log in to Grid as user with the grid-admin role.
  2. Access the SAML Session Provider management pages.
  3. Click SAML Session Provider Signing Certificate.
  4. Click Renew SAML Session Provider signing certificate.
  5. In the confirmation popup, click Renew.
  6. Update the Identity Provider (IdP) to trust the new assertion signing certificate.

    • If the IdP is AD FS, continue with step 7.

    • If the IdP is PingFederate, continue with step 8.

  7. Update the AD FS.

    See Add Assertion Consumer Service endpoint to AD FS.

    • If all the steps of the procedure were performed after the initial installation, perform step 11 onwards.

    • If the procedure was not performed after installation, perform all the steps now.

  8. Update the SP configuration in PingFederate.

    Follow all the steps in Add Service Provider Configuration to PingFederate.

  9. Verify the login and logout actions.