After renewing IDM certificate SAML doesn't work
After following the procedure for renewing IDM certificate our SAML with ADFS doesn't work - user is redirected to ADFS but there is no prompt for username and password. Fortunately using the old spring_saml_metadata.xml file is possible and users are working. Has anyone completed the IDM certificate renewal procedure?
I have noticed that in the old (and good one) spring_saml_metadata the CNof the certificate is SMAXIDM and in the new (and bad one) this is LOCALHOST. But in the procedure it is not explained what it should be.
And what do you think what will happen when the IDM certificate will expire?
In IDM logs there are some related messages which I cannot understand:
2020-08-14T14:15:00.122+0200 ERROR [http-nio-8080-exec-2] com.hp.ccue.identity.spring.preauth.PreAuthFilter - Incoming HTTP request has invalid X-Auth-Token header. Aborting pre auth processing. URL: /idm-service/api/scim/organizations/902370360_db/users, The token has expired
2020-08-14T14:15:02.935+0200 INFO [https-jsse-nio-8443-exec-5] org.springframework.security.saml.log.SAMLDefaultLogger - AuthNRequest;SUCCESS;172.16.98.96;https://....../idm-service/saml/metadata;http://......./adfs/services/trust;;;
For anyone interested:
The procedure on SMAX Doc portal is only for CDF IdM Certificate (that is for Administrators).
For Suite (that is for End Users and Operators) IdM normally auto-generates certificate and no action is required.
But in our system we have modified IdM infrastructure with custom IdM certificate, in this case we should renew custom certificate manually.
Here is the procedure in order to renew the certificate file, we can use the following workaround:
Connect to the SMAX IDM instance database.
Run the SQL commands to get DB config items' values and backup them:
select name,value from system_resource_config where name like '%keystore%';
Clean up the old values by run the SQL commands to IdM DB:
update system_resource_config set value = '' where name = 'idm.saml.keystore.password';
update system_resource_config set value = '' where name = 'idm.saml.keystore.defaultKey.name';
update system_resource_config set value = '' where name = 'idm.saml.keystore.defaultPublicKey';
update system_resource_config set value = '' where name = 'idm.saml.keystore.defaultPrivateKey';
update system_resource_config set value = '' where name = 'idm.saml.keystore.defaultCertificate';
Then restart the SAMX IdM Pod.
Thanks & Regards,
It seems like a fragment of official procedure for renewing IdM Certificate for CDF. We were looking for Suite IdM Certificate renewing. Now it is closed by Support action.