Both the Security Assertion Markup Language (SAML) certificate and the OpenID Connect (OIDC) client secret for your configured SSO have a limited validity period. Once this period has expired and a new certificate or client secret has not been installed, SSO login is no longer available.
Typical error message during SSO login:
Please note: Monitoring validity periods is the responsibility of your IT department. Therefore, depending on the identity provider (IDP) you use, please use the internal monitoring options.
Procedure to change: SAML certificate
- If you have not already done so, provide AEB support with the App Federation Metadata URL of the SAML certificate for the business application used and the ID of the business application.
With this, AEB sets up an automation that retrieves the currently configured certificate for each SSO login.
App Federation Metadata URL can be made available and entered by AEB Support:
- Find the App Federation Metadata URL for the business application.
- Create a new SAML certificate for the business application.
- Create a ticket with AEB Support via the following link:
Set up metadata URL for SAML certificate
Enter the following information in the ticket:- Business Application ID
- App Federation Metadata URL
- Expiration date of the old SAML certificate
- You will receive feedback from AEB Support once the SAML certificate currently configured in the business application is active.
- Switch to the new SAML certificate for the business application.
- Finally, test the functionality of the SSO login. To do this use an InPrivate or Incognito browser window to rule out caching problems.
- These steps are only necessary once, after which the currently stored SAML certificate is automatically retrieved for SSO.
App Federation Metadata URL cannot be provided:
- Create a new SAML certificate for the business application.
- Create a ticket with AEB Support using the following link:
Exchange SAML certificate
Enter the following information in the ticket:- Business Application ID
- Expiration date of the old SAML certificate
- New SAML certificate as .CER file
- A time is agreed in the ticket with AEB Support when the SAML certificate will be changed. This change should take place at the same time if possible, because if there is a discrepancy between the certificate used by your company and the certificate expected by AEB, SSO login will not be possible.
- At the agreed time, switch to the new SAML certificate for the business application.
- Finally, test the SSO login functionality. Use an InPrivate or Incognito browser window to rule out caching problems.
- These steps are required every time the SAML certificate is changed. Therefore, AEB Support recommends providing the App Federation Metadata URL for automatic synchronization.
Procedure to change: OIDC client secret
- Create a new client secret for the business application.
- Create a ticket with AEB Support using the following link:
Exchange OpenID Connect Client Secret
Enter the following information in the ticket:- Business Application ID
- Expiration date of the old clientSecret
- Expiration date of the new clientSecret
- Never send your client secret to AEB in plain text. Only use secure transmission channels to transfer your client secret. This can be done, for example, by switching to a different medium, via a secure link to a password tool, or by uploading to an AEB oneDrive.
- A time is agreed in the ticket with AEB Support when the client secret will be changed. This change should take place at the same time if possible, because if there is a difference between the client secret in your company and the client secret expected by AEB, SSO login will not be possible.
- At the agreed time, switch to the new client secret for the business application.
- Finally, test the functionality of the SSO login. Use an InPrivate or Incognito browser window to rule out caching problems.
- These steps are required every time the OIDC client secret is changed. Automatic synchronization is not possible in this case.
Comments
Please sign in to leave a comment.