1. Absorb Help Center
  2. News
  3. Announcements

Client Action Required - SAML SSO Certificate Updates Required - June 2023

Updated
calendar-square.png

SAML SSO Certificate Updates Required

Existing certificates will be retired by June 25th, 2023. Affected SAML SSO connections using the expired certificate after this date will no longer function and users will be unable to login.

A toggle to apply the new certificate, once updated on your SSO provider, will be released and available in the LMS portal settings to administrators tentatively on June 8th, 2023. An additional announcement will be posted if this date changes.

OpenID Connect and Absorb SSO methods are not affected.

Absorb is renewing the certificate that validates Single-Sign-On (SSO) requests initiated by our system. The x509 key for this certificate will, therefore, be changing. The old certificate will be retired by June 25th, 2023. Any affected clients will need to update to the new certificate key or upload the new metadata to external applications with SAML SSO connections to Absorb before this date.

  • Important for all clients utilizing SSO with an active Absorb LMS instance:
    • Any affected SSO connections that do not have their X509 certificate and the 'Use Newer SAML' toggle (released June 8th) updated before June 25th 2023 will encounter interruptions to their SSO integration.

    • Note that updates to your SSO certificates and review of your SSO configuration and use case must be performed by SSO admins within your organization that own and manage your SSO integration. Absorb internal teams cannot perform these changes, nor be responsible for reviewing the setup/use case of your SSO provider
      Please feel welcome to forward this announcement to such teams/individuals.

    • See more information below on steps required, impact, and more.

 

Who Will This Impact?

All clients who are using SAML SSO with Absorb and who have any SSO connection using any of the following modes will need to update the certificate key in the metadata. The SSO mode can be validated from Portal Settings > Manage SSO Settings:

  • Service Provider (SP) Initiated Incoming SAML SSO
  • Service Provider (SP) Initiated Outgoing SAML SSO
  • Service Provider (SP) Initiated SAML SSO with Single Logout enabled 
  • Identity Provider (IdP) Initiated SAML SSO with Single Logout enabled 
  • Identity Provider (IdP) Initiated Incoming SAML SSO where the IdP requires Absorb's certificate

Clients who using Identity Provider (IdP) Initiated Incoming SAML SSO without single logout and where the IdP does not require Absorb's certificate are not affected. OpenID Connect and Absorb SSO methods are also not affected.

Some external applications do not verify the signature on a SAML Request. Please refer to your external application's documentation and configuration to confirm whether the Absorb certificate is currently in use for your SSO connection. 

Please note:  Sandbox environments are unaffected by this change and do not require updating. 

 

When Must Updates Be Completed?

Clients will be able to move to the new certificate at their convenience until the end of the day Sunday, June 25th, 2023 when the old certificate expires.

  • IMPORTANT - Do not update your certificate until you have read through the 'Update Absorb SSO configuration' and other steps below. The new certificate will not apply until the associated 'Use Newer SAML' toggle is also enabled.

 

Next Steps

Obtain new certificate
The new certificate and/or metadata can be found in one of the following articles, depending on the type of SSO connection you need to update (note: if you have multiple SSO connections, please check and update each one):

  • If you are using Service Provider (SP) initiated Incoming SAML SSO or Single Logout - please review the updated SP Metadata in our Incoming SAML SSO documentation. In this case, Absorb is the SP and your external application is the IdP; the Absorb certificate should be updated in the IdP.
  • If you are using SP initiated Outgoing SAML SSO - please review the updated Identity Provider (IdP) Metadata in our Outgoing SAML SSO documentation. In this case, Absorb is the IdP and your external application is the SP; the Absorb certificate should be updated in the SP.

Update external application with new certificate 
Each external application is different, but there are generally two ways to update the certificate key:

  1. Update the certificate key value directly in the external application's configuration. This is often a text field that allows you to paste the base64 encoded x509 certificate value in (similar to the way Absorb's SSO key field works).
  2. Upload new Absorb SAML metadata to the external application (the metadata itself contains the updated certificate).

Update Absorb SSO configuration
IMPORTANT - Between June 8th and and June 25th 2023, both the new and old certificates will be usable.

A toggle will be made available in Absorb's Manage SSO Settings page on June 8th to determine which certificate each SSO connection uses.

  • Changing the Absorb certificate key and/or metadata in your external application must be done in concert with adjusting this toggle in Absorb, during this cut-over period.
  • Important for all clients utilizing SSO with an active Absorb LMS instance:
    • Any affected SSO connections that do not have their X509 certificate and the 'Use Newer SAML' toggle updated before June 25th 2023 will encounter interruptions to their SSO integration.

mceclip0.png

 

 

 

Was this article helpful?
2 out of 7 found this helpful