Managing Certificates and Metadata for SAML Authentication

Return to menu

Introduction

The Certificate Manager allows you to create (see Creating a New Certificate) or replace (see Replacing a Certificate) a certificate for SAML authentication. A certificate may need to be replaced for security measures or when a certificate is near expiration. The replacement of a certificate is recommended every two to three years.

Creating a New Certificate

Use this procedure to create a new certificate.

1. On the User Authentication Wizard page (Primo Home > Ongoing Configuration Wizards > User Authentication Wizard), make sure that your institution appears in the Owner field.

   

   Verify Owner Field on Login Profiles Page

2. In the list of profiles, click Certificate next to the SAML profile.

   

   Login Profiles List

3. From the Certificate drop-down list, select a certificate. You can choose a certificate based on its expiration date and whether it is self-signed.

   

   Select Certificate

4. Click Save.

5. Create a file that contains information about Primo as the service provider:

   1. Click Download Metadata to get a local copy of the metadata file. If you have configured additional SAML profiles to support additional IDPs, you must perform this operation for each of the profiles..

      

      Download Metadata Button

   2. Depending the browser you are using, a dialog box may appear. Save the file to your machine.

      

      Save File Dialog Box

   3. Send the file to your Authentication Manager.

6. On the IDP, create a backup file for the old metadata file. If you support multiple IDPs for SAML, perform this operation on each of them.

7. On the IDP, upload and install the new metadata file. If you support multiple IDPs for SAML, make sure that you install the appropriate metadata file on each IDP.

   After the metadata file has been replaced, end users will not be able to log on to the Front End UI until the new metadata file has been activated in the Primo Back Office.

8. Repeat steps 1 through 2 to re-edit the certificate for your login profile.

   If you decide not to activate the new metadata file, click Delete New Metadata and re-install the backup copy of the old metadata file on the IDP.

9. Click Activate Metadata to activate the new certificate. If you have configured more than one SAML profile, it is only necessary to perform this operation on one of the profiles.

   

   Activate Metadata Button

10. Click OK to continue with the activation.

    

    Continue Activation Prompt

11. Verify that users can log on to the Front End UI.

Replacing a Certificate

Use this procedure to replace an existing or expired SAML certificate.

1. On the User Authentication Wizard page (Primo Home > Ongoing Configuration Wizards > User Authentication Wizard), make sure that your institution appears in the Owner field.

   

   Verify Owner Field on Login Profiles Page

2. In the list of profiles, click Certificate next to the SAML profile.

   

   Login Profiles List

3. Click OK to continue.

   

   Continue to Certificate Manager

4. From the Certificate drop-down list, select a certificate. You can choose a certificate based on its expiration date and whether it is self-signed.

   

   Select Certificate

5. Click Save.

6. Create a file that contains information about Primo as the service provider:

   1. Click Download Metadata next to the New Certificate field to get a local copy of the metadata file. If you have configured additional SAML profiles to support additional IDPs, you must perform this operation for each of the profiles..

      

      Download Metadata Button

   2. Depending the browser you are using, a dialog box may appear. Save the file to your machine.

      

      Save File Dialog Box

   3. If you have configured the AUTH_BASE_URL field in your login profile, edit the file and replace the URLs shown in bold below with the contents of the AUTH_BASE_URL field.

      <?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="787e867e7d6b404f842faf5bbf5006aa" entityID="https://s.com/primo_library/libweb/VOLCANO"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MIIFKDCCBBCgAwIBAgIQDNKHcxHQe79LJSYe7bWJZzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQG EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5EaWdpQ2VydCBTSEEyIFNlY3Vy ZSBTZXJ2ZXIgQ0EwHhcNMTYwNzI1MDAwMDAwWhcNMTkxMDAyMTIwMDAwWjByMQswCQYDVQQGEwJV UzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xHTAbBgNVBAoTFEVYIExJQlJJ UyAoVVNBKSBJTkMuMR8wHQYDVQQDExZzYW1sLmV4bGlicmlzZ3JvdXAuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEArdprVYNVUndGUkf3HvrQQl58Xom46MNKnPKH0xzJz9f6VF0x md/cZ+Kq3COOKbabKEKwfVvFwCrbQjbkr3JuvRcu7g4QBqizgRv+rbovR5xDZIcJKTX+truHJp6h PYInf5uJFwDaHUZDktO7rI4MJIsdrOTAy2TWpDNOfYmTHI2pc4W84P31uiZtyx7nkzKou4fDBn40 uW1XBb3f9NKq1TClYFCeh7CigLW3m+7HZbDpb+7Q5DMqNx8i/6yzxUBeB387i7PV3hCBFei3KPrG PPqyHTxgejYZrbKI4hIdbaITCAKykOplRmMlbzs/vCWHYlOHLt9AJGVqR2hmYV7xvwIDAQABo4IB 3TCCAdkwHwYDVR0jBBgwFoAUD4BhHIIxYdUvKOeNRji0LOHG2eIwHQYDVR0OBBYEFM5UM4K1H5P8 2L2qrnZsBH2Ttny4MCEGA1UdEQQaMBiCFnNhbWwuZXhsaWJyaXNncm91cC5jb20wDgYDVR0PAQH/ BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilo dHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc1LmNybDAvoC2gK4YpaHR0cDovL2Ny bDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNS5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEw KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwfAYI KwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYB BQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2 ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEADHHA7rOMK4kgzm89gElB tVTYN4VYdNOpMc0DBG9eWTeVV85l4DShUD2rgbvoDjsMCLryuvxXnxcWk5gKRNHtDfHH8S3McGwN vIuLJhHzb5K2VvyZbDs53Gep3b7k805Gx9VsbdgU5zTZlDD+PexrsHCwjyW2I/YlhnRC5avvV+AT gv5WQZKnV7l7xNWS2UqckorYdEGecbvohCkUFlfid5t5QBBN1QpuY2oge5Oxc8HncnY7DMk3Bx0j Dg41TLzXFX4SEYx6G7MlhvoJIfl0k0o8TTO8w+SowpvVpbkx1iGXR9h0RuO+BhDrOjcj5iwQ1/U7 WvHKUsSzDOVAB0dDSw==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://s.com/primo_library/libweb/samlLogout"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://s.com/primo_library/libweb/samlLogin" index="0" isDefault="true"/> </md:SPSSODescriptor> </md:EntityDescriptor>
      Example Primo Metadata File

   4. Send the file to your Authentication Manager.

7. On the IDP, create a backup file for the old metadata file. If you support multiple IDPs for SAML, perform this operation on each of them.

8. On the IDP, upload and install the new metadata file. If you support multiple IDPs for SAML, make sure that you install the appropriate metadata file on each IDP.

   After the metadata file has been replaced, end users will not be able to log on to the Front End UI until the new metadata file has been activated in the Primo Back Office.

9. Repeat steps 1 through 2 to re-edit the certificate for your login profile.

   If you decide not to activate the new metadata file, click Delete New Metadata and re-install the backup copy of the old metadata file on the IDP.

10. Click Activate Metadata next to the New Certificate field to activate the new certificate. If you have configured more than one SAML profile, it is only necessary to perform this operation on one of the profiles.

    

    Activate Metadata Button

11. Click OK to continue with the activation.

    

    Continue Activation Prompt

12. Verify that users can log on to the Front End UI.

Page tags: article:topicproduct:primocontent:Documentationlang:english