SAML Authentication Request signing key rotation
Here are the steps you should follow to avoid any down time during the key and certificate rotation:
- Generate a new Private Key for signing and a corresponding verification certificate.
- Upload this new verification certificate as the Next certificate for signature verification in the Cloudera Management Console.
- Click Update Authentication Settings.
- Get the latest SAML Service Provider Metadata from the Cloudera Management Console. The latest service provider metadata must now have the both “current” and “next” certificates as the "signing" cert.
- Upload this service provider metadata to your actual Identity Provider, so that Identity Provider now has both the old and new verification certificates. Including both certificates in the SP metadata allows a smooth key rotation without downtime, ensuring that authentication requests signed with either the current or new key can be validated during the transition period.
-
In Cloudera Management Console:
- Upload the new Private key as the Private key for signing SAML AuthnRequest field.
- Upload the new verification certificate as the Current certificate for signature verification
- Remove the Next certificate for signature verification certificate by clicking the Remove button or by entering an empty string.
- Click Update Authentication Settings.
- Get the latest SAML Service Provider Metadata from Cloudera Management Console. This metadata should now have only one “signing” certificate with the latest value.
- Upload this updated service provider metadata to your Identity Provider to complete the key rotation process.
