Skip to main content
OCLC Support

How to Update SSO Certificates for use with the ILLiad SAML Module

 

Applies to

  • ILLiad

Answer

When an SSO updates its certificates, they will need to be installed in the ILLiad web server and updated in the SAML.config file. For ILLiad web servers hosted by OCLC, contact OCLC Support and include the updated IdP metadata.

Self-hosted ILLiad web server administrators can use the following workflow to update the certificate(s) for a SAML site:

  1. Find the x509certificate elements for signing and encryption in the IdP Metadata file. Depending on the configuration, IdPs might only have a signing certificate which is valid
  2. Copy the contents of the element (no xml tags, just the certificate text) into a text editor. Save the file in the same location as the SAML module (default C:\ILLiad\SAML) as either signing.cer or encryption.cer, depending on which certificate you copied
  3. In File Explorer, navigate to the location of the .cer file you just created and double-click on the file
  4. Click "Install Certificate"
  5. Choose "Local Machine"
  6. Choose "Place all certificates in the following store based on the type of certificate," hit Browse, and Save the certificate to the "Trusted People" store (not the default location)
  7. Click Next, then Finish
  8. In the Certificate Details tab, find the Thumbprint value. Copy it into the Thumbprint attribute of the corresponding Certificate element. It will look like Thumbprint="0eae65d277e263071a5desd8525752129sdfda8d" or similar. Place the thumbprint between the quotes
  9. Repeat the above steps for the encryption certificate if needed
  10. Save the SAML.config file
  11. Restart IIS

Additional information

The SAML module will try to use certificates in the order in which they appear in the configuration file, so any old certificates will be used until they are no longer valid. Once the new certificates are in use, the old ones should be removed from the configuration.

Page ID

61454