IBM Security Verify

 View Only
  • 1.  ISVA- SAML SP partner certificate update

    Posted Mon June 13, 2022 05:47 AM
    Hi,

    I noticed, if I update a SAML SP partner at more then one IDP (on the same appliance) becasue of certificate expiration time and if the partner already exists on other IDPs, using the same certificate for validation and / or encryption, then ISVA updates the certificate for the first time, but does not update the certificate configuration for the second time, on the second IDP.

    Example:
    before update SP:
    idp1 - partner1 - validation-123
    idp2 - partner1 - validation-123

    after update SP:
    idp1 - partner1 - validation-456
    idp2 - partner1 - validation-123 (old cert)

    It is clear, that ISVA does not import the certifiate, if it recognised it in KDB / P12 (rt_profile_keys) but the problem is that ISVA does not update the Partner cofiguration with the new certificate information.

    Affected versions: 10.0.2.0 and 10.0.3.1 too.

    Is it a normal behavior?


    Thank you!

    ------------------------------
    Sándor Lakner
    ------------------------------


  • 2.  RE: ISVA- SAML SP partner certificate update

    Posted Mon June 13, 2022 11:15 AM
    Edited by JACK YARBOROUGH Mon June 13, 2022 11:15 AM
    Hello Sándor,

    Even though they have the same Provider ID and are using the same certificate the same partner on different Federations have different identifiers under the covers. Effectively they are not the same even though their information is the same. Whenever a partner is created they receive a unique identifier. Updating idp1-partner1 is a unique combination and would not effect idp2-partner1. You need to explicitly update both of them.

    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 3.  RE: ISVA- SAML SP partner certificate update

    Posted Tue June 14, 2022 04:58 AM
    Hi Jack,

    Thank you for your answer. 
    I have explicitly updated the Partner on all IDPs step by step. 
    The new certificate was set on the idp1-partner1 but the old certificate remain untouched for idp2-partner1 until I did not delete the old (previous) certificate from the KDB /P12 and update the SP on IDP2 or IDP3 again. After deletion of old certificate, the new cert is set on the other IDPs for the Partner1 too.

    Best regards,
    Sándor

    ------------------------------
    Sándor Lakner
    ------------------------------



  • 4.  RE: ISVA- SAML SP partner certificate update

    Posted Tue June 14, 2022 02:10 PM
    Hello Sándor,

    You should open a support case with detailed recreate steps for this issue.

    That sounds like a defect.

    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 5.  RE: ISVA- SAML SP partner certificate update

    Posted Fri June 24, 2022 03:54 AM
    Hi Jack,

    Thank you!
    I have opened a support case.
    Just for info, we could reproduce it on ISVA 10.0.1 FP1, 10.0.2 and 10.0.3.1 as well.
    One workaround what we found, before update the Partner, certificate have to be deleted from the keystore, then ISVA sets the proper certificate for all affected SP.

    Best regards,
    Sándor

    ------------------------------
    Sándor Lakner
    ------------------------------