How to Update SSO Certificates for use with the ILLiad SAML Module
Applies to
- ILLiad
Answer
When an SSO updates its certificates, they will need to be installed in the ILLiad web server and updated in the SAML.config file. For ILLiad web servers hosted by OCLC, contact OCLC Support and include the updated IdP metadata.
Self-hosted ILLiad web server administrators can use the following workflow to update the certificate(s) for a SAML site:
- Find the x509certificate elements for signing and encryption in the IdP Metadata file. Depending on the configuration, IdPs might only have a signing certificate which is valid
- Copy the contents of the element (no xml tags, just the certificate text) into a text editor. Save the file in the same location as the SAML module (default C:\ILLiad\SAML) as either signing.cer or encryption.cer, depending on which certificate you copied
- In File Explorer, navigate to the location of the .cer file you just created and double-click on the file
- Click "Install Certificate"
- Choose "Local Machine"
- Choose "Place all certificates in the following store based on the type of certificate," hit Browse, and Save the certificate to the "Trusted People" store (not the default location)
- Click Next, then Finish
- In the Certificate Details tab, find the Thumbprint value. Copy it into the Thumbprint attribute of the corresponding Certificate element. It will look like Thumbprint="0eae65d277e263071a5desd8525752129sdfda8d" or similar. Place the thumbprint between the quotes
- Repeat the above steps for the encryption certificate if needed
- Save the SAML.config file
- Restart IIS
Additional information
The SAML module will try to use certificates in the order in which they appear in the configuration file, so any old certificates will be used until they are no longer valid. Once the new certificates are in use, the old ones should be removed from the configuration.