Forums, Documentation & Knowledge Base - ComponentSpace

SAML - Local certificate expires


https://www.componentspace.com/forums/Topic11479.aspx

By yannis - 3/12/2021

Hi all,

Question. I have a client using Ping as their underlying SSO provider. They have setup my company as the service provider. When their users login via SSO on our platform they are redirected to a Ping screen to login for their organization and then redirected back to our platform as logged in users.

Our certificate - setup as a local certificate under local service provider configuration - is about to expire. I have a few questions.

1. I assume we need to send them our updated PEM / CER file to update their end respectively. Correct?
2. They are quite slow at doing these changes. Can we use an expired certificate for some time while the new one is updated on their end?

Thanks

By ComponentSpace - 3/13/2021

In response to your questions:

1. Yes, you should supply them with a new PEM/CER file prior to your certificate expiring.

2. From our perspective you can use an expired certificate. We don't validate the certificate (ie check its expiry date etc). However, I'm not use whether Ping performs any sort of certificate validation. You would need to check with the identity provider. Hopefully their configuration supports configuring both certificates (the old and new). This makes it easier to seamlessly handle certificate rollover.