Creating and updating the SP signing certificate for SAML authentication

If you are planning to use any of the advanced SAML authentication functions described in Configuring-advanced-functions-for-SAML-authentication, you must create the service provider (SP) signing certificate because it is not provided out of the box. 

You create a new file or update the SP certificate if it has expired. 

Related topics

Configuring-SAML-2-0-authentication

To update the signing certificate in BMC Helix SSO Admin Console 

  1. Log in to the BMC Helix SSO Admin Console.
  2. Navigate to General > Advanced tab.
  3. Enter the following details:
    • Keystore File with the full path
    • Keystore Password
    • Signing Key Alias
  4. Click Save.
  5. Navigate to Realm, and select a realm configured for SAML authentication.
  6. On the Authentication tab, click View Metadata and verify whether the SP metadata is updated with the new signing certificate.

To update the SP metadata at the IdP side 

  1. Export the SP metadata and save it to a local file.
  2. Share the exported SP metadata and the new signing certificate with the IdP team.
  3. If you have Active Directory Federation Services (AD FS) configured as the IdP, perform the following steps to add the new signing certificate:
    1. Open the context menu for the relying party trust and select the Update from Federation Metadata check box.
    2. Open the Properties dialog of the relying party for BMC Helix SSO .
    3. Navigate to the Signature tab, and click Add.
    4. Select the new signing certificate file, and click OK.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*