SAML SSO Certificate Updates Required
Absorb is renewing the certificate that validates Single-Sign-On (SSO) requests initiated by our system. The x509 key for this certificate will, therefore, be changing. The old certificate will be retired by July 17, 2020. Any affected clients will need to update to the new certificate key or upload the new metadata to external applications with SAML SSO connections to Absorb before this date. Any affected SSO connections that are not updated before July 17, 2020 will no longer function after this date.
Who Will This Impact?
All clients who are using SAML SSO with Absorb and who have any SSO connection using any of the following modes will need to update the certificate key or metadata. The SSO mode can be validated from Portal Settings > Manage SSO Settings:
- Service Provider (SP) Initiated Incoming SAML SSO
- Service Provider (SP) Initiated Outgoing SAML SSO
- Service Provider (SP) Initiated SAML SSO with Single Logout enabled
- Identity Provider (IdP) Initiated SAML SSO with Single Logout enabled
- Identity Provider (IdP) Initiated Incoming SAML SSO where the IdP requires Absorb's certificate
Clients who using Identity Provider (IdP) Initiated Incoming SAML SSO without single logout and where the IdP does not require Absorb's certificate are not affected. OpenID Connect and Absorb SSO methods are also not affected.
Some external applications do not verify the signature on a SAML Request. Please refer to your external application's documentation and configuration to confirm whether the Absorb certificate is currently in use for your SSO connection.
When Must Updates Be Completed?
Clients will be able to move to the new certificate at their convenience until the end of day Friday, July 17th, 2020 when the old certificate expires. The new certificate key will be available for use after our June 2020 #2 release, beginning to roll out on June 28th (see this article for timing per region).
Obtain new certificate
The new certificate and/or metadata can be found in one of the following articles, depending on the type of SSO connection you need to update (note: if you have multiple SSO connections, please check and update each one):
- If you are using Service Provider (SP) initiated Incoming SAML SSO or Single Logout - please review the updated SP Metadata in our Incoming SAML SSO documentation. In this case, Absorb is the SP and your external application is the IdP; the Absorb certificate should be updated in the IdP.
- If you are using SP initiated Outgoing SAML SSO - please review the updated Identity Provider (IdP) Metadata in our Outgoing SAML SSO documentation. In this case, Absorb is the IdP and your external application is the SP; the Absorb certificate should be updated in the SP.
Update external application with new certificate
Each external application is different, but there are generally two ways to update the certificate key:
- Update the certificate key value directly in the external application's configuration. This is often a text field that allows you to paste the base64 encoded x509 certificate value in (similar to the way Absorb's SSO key field works).
- Upload new Absorb SAML metadata to the external application (the metadata itself contains the updated certificate).
Update Absorb SSO configuration
IMPORTANT: Between June 28th (see this article for timing per region) and July 17th, both the new and old certificates will be usable. A toggle will be made available in Absorb's Manage SSO Settings page to determine which certificate each SSO connection uses. Changing the Absorb certificate key and/or metadata in your external application must be done in concert with adjusting this toggle in Absorb, during this cut-over period.
The certificate/key will also need to be updated for clients testing SSO in an Absorb Sandbox environment. The new sandbox certificate and metadata can be found in the applicable articles noted above.