Metadata Certificate Rotation for Cirrus Bridge

Table of Contents 

Overview

Step 1 - Request New Keys

Step 2 - Update Your Federated Metadata

Step 3 - Contact Non-federated SPs 

Step 4 - Schedule a Cutover Time

Step 5 - Start Using with the New Keys and Test

Step 6 - Remove Old Certificate

Overview

While the certificates in SAML metadata are designed to be long-lived and often will last for ten years or more, eventually they expire and metadata needs to be updated. Cirrus will generate the new signing keys and provide the public ones to you. Then you will engage with InCommon or CAF as well as all service providers that you have set up with a bilateral integration. For a short period of time, your metadata will contain both certificates to facilitate the transition. After the transition, the old certificate will be removed.

We recommend reaching out to Cirrus at least two months prior to expiration to give yourself enough time to communicate with any bilateral SPs. Failure to complete this process will result in service providers not working when the old certificate expires, because they are not aware of the change. 

Step 1 - Request New Keys 

Email support@cirrusidentity.com to request the new keys. Cirrus will generate the new signing keys and provide the public ones to you. We will automatically add the new certificate to your Cirrus maintained metadata. All signing will still be done with the old key at this time. 

Step 2 - Update Your Federated Metadata

• For InCommon, this involves logging to the Federation Manager and add the new certificate to the Metadata, while keeping the old one for now. 
• For the Canadian access Federation, contact CAF Support with the methods listed at https://www.canarie.ca/identity/support/contacts/. Provide the metadata link along with when you want to update the metadata.
• For other trust federations, contact your Federation Operator for instructions on how to add to your public certificates.
  
  

Step 3 - Contact Non-federated SPs 

Contact all non-federated service providers that you have bilaterally configured with the Cirrus Identity Bridge to notify them of the change and give them the link Cirrus provided to the metadata. 

• Ask if they support having two signing certificates for an IdP. 
• If they do, then they can update the metadata ahead of time and it should be a seamless transition.
• SPs that do not support two signing certificates will need to switch over to the new certificate once it starts being used, which may involve a period of being unable to access the app. 
• Once you schedule a cutover time with Cirrus, you will notify the SPs to coordinate their cutover to the new metadata at that time.
  
  

Step 4 - Schedule a Cutover Time

Coordinate a cutover time with Cirrus for when the new keys will be used. Federated metadata takes a few days to propagate out to all SPs, since it depends on the SP download schedule, and if it has to propagate to other trust federations. 

Step 5 - Start Using with the New Keys and Test

Cirrus will start signing the SAML response with the new key. If you are using encryption between Okta/EntraID and the Cirrus Bridge, you will need to update the encryption key at this time. If you have SPs that do not support two signing certificates, they will also need to switch over to the new metadata at this time. 

Please test your federated and bilateral integrated SPs to ensure that login continues to work.

Step 6 - Remove Old Certificate

Some time after the new key is in use, Cirrus will remove the old certificate from the Bridge. InCommon customers can then remove it from InCommon metadata in the Federation Manager. You can optionally notify SPs (and CAF for Canadian customers) that they can now use the updated metadata without the old certificate.