1. SAML Single Sign-On
  2. Configuring the Identity Provider for the SAML Integration
  3. Updating the OpenAir SAML Signing and Encryption Certificates in the Identity Provider Configuration

Updating the OpenAir SAML Signing and Encryption Certificates in the Identity Provider Configuration

SAML signing and encryption certificates provide additional security when using SAML single sign-on (SSO) authentication to access OpenAir. SAML signing and encryption uses public keys, or certificates, to verify data sent between the OpenAir service provider (SP) and the identity provider (IdP). The IdP uses the signing certificate to verify the signature sent by the OpenAir SP during the authentication request. The IdP uses the encryption certificate to conceal the content in the return response (assertion) to the OpenAir SP.

OpenAir SAML certificates on sandbox and production environments have a finite lifetime. OpenAir rotates SAML certificates that are about to expire.

When OpenAir rotates the SAML certificates, you must retrieve SAML certificate information from your OpenAir account, save it in the correct format and import it in to your identity provider product on the service provider profile you created for this OpenAir account.

Important:

Do not download the SSL certificate from your browser header. SAML certificates are distinct from SSL (TLS) certificates. SSL certificates apply to the browser you use to access OpenAir and they are configured and maintained by the server.

Before OpenAir rotates the SAML certificates, you will receive a proactive feature change notification (PFCN) with information about the dates when new certificates will become available and previous certificates are due to expire.

To update the OpenAir SAML signing and encryption certificates in your identity provider configuration:

  1. In OpenAir, go to Administration > Account> Integration: SAML Single Sign-On > [Select the active identity provider profile].

    The identity provider profile form opens.

  2. Click the link under Entity ID.

    Entity ID link

    The OpenAir SAML metadata associated with the identity provider profile appears.

  3. Right-click anywhere on the page and select View Page Source from the context menu.

    The page source appears.

    Page source of SAML metadata page

  4. Copy the text between the <ds:X509Certificate> and </ds:X509Certificate> tags.

    Make sure that you select the entire certificate text and only the certificate text before you copy it to your clipboard. Do not select any of the characters in the <ds:X509Certificate> and </ds:X509Certificate> tags.

  5. Paste the content of the clipboard into a text editor.

  6. Insert the following certificate header on a separate line at the top.

                    -----BEGIN CERTIFICATE-----

  7. Insert the following certificate footer on a separate line at the bottom.

                    -----END CERTIFICATE-----

  8. Save the file. Use the file extension .pem or .crt depending on the file extension required by the identity provider product for SAML certificates.

    SAML signing certificate in text editor.

  9. In your identity provider product, go to the service provider profile you set up for your OpenAir account and import the PEM or CRT SAML certificate file for OpenAir under both the Signing certificate and Encryption certificate sections.