The following are recommended actions for all 黑料海角91入口 organizations using SSO applications:
Regenerate SAML SSO Application Certificates
All SAML SSO integrations require a certificate and private key pair. This certificate and private key pair can be auto-generated by 黑料海角91入口, or you can upload your own. In addition, some Service Providers require a Service Provider Certificate.
Admins should review your Service Provider requirements prior to taking these steps to limit downtime and prevent lockouts.
To rotate the cert for M365, please refer to the specific steps in the article.
To regenerate a 黑料海角91入口-created certificate and private key pair
Complete the following steps for each SAML SSO app integration you have configured for which you would like to use a 黑料海角91入口-created certificate and private key pair.
- Log in to the聽.听
- Go to USER AUTHENTICATION > SSO.
- Select an SSO application from the list.
- Click the small triangle to the right of IDP Certificate Valid in the Single sign-on section of the left-hand panel.
- Select Regenerate certificate.
- Click continue.
- After you regenerate the certificate, the private key is also regenerated.
- Click save.
When you upload a new certificate, your private key is wiped. You need to upload a new private key after you upload a certificate.
To update the IdP certificate in the Service Provider
Depending on how the Service Provider accepts certificates, do one of the following to upload the new certificate in Service Provider鈥檚 application.
To update the IdP certificate in the Service Provider using a metadata URL
If the Service Provider supports updating the configuration and certificate from a metadata file URL:
- Log in to the聽.听聽
- Go to USER AUTHENTICATION > SSO.
- Select an SSO application from the list.
- Click the SSO tab.
- Click Copy Metadata URL.
- From the Service Provider鈥檚 application admin console, paste the metadata URL in the designated place in their SAML SSO configuration page or section.
- Save the changes.
To update the IdP certificate in the Service Provider using a metadata file
If the Service Provider supports extracting the certificate from the metadata file:
- Export the metadata file from SSO configured applications page
- Log in to the聽.听聽
- Go to USER AUTHENTICATION > SSO.
- Click the checkbox next to the SSO application in the list.
- Click Export Metadata.
- Alternatively, you can export the metadata file from the application鈥檚 configuration details page.
- Log in to the聽.听
- Go to USER AUTHENTICATION > SSO.
- Select an SSO application from the list.
- Click the SSO tab.
- Click Export Metadata.
- From the Service Provider鈥檚 application admin console, upload the metadata file in the designated place in their SAML SSO configuration page or section.
- Save the changes.
To update the IdP certificate in the Service Provider by uploading the certificate
If the Service Provider supports uploading the IdP certificate file (.pem):
- If you just saved the application, from the notification in the upper-right corner of the screen click Download Certificate.
- Otherwise, download the certificate from the application鈥檚 configuration details page.
- Reopen the application,
- Click the small triangle to the right of IDP Certificate Valid in the Single sign-on section of the left-hand panel
- Select Download Certificate.
- From the Service Provider鈥檚 application admin console, upload the certificate file in the designated place in their SAML SSO configuration page or section.
- Save the changes.
To update the IdP certificate in the Service Provider by copying and pasting the contents of the certificate file
If the Service Provider supports copying and pasting the contents of the certificate file (.pem):
- If you just saved the application, from the notification in the upper-right corner of the screen click Download Certificate.
- Otherwise, download the certificate from the application鈥檚 configuration details page.
- Reopen the application,
- Click the small triangle to the right of IDP Certificate Valid in the Single sign-on section of the left-hand panel
- Select Download Certificate,
- From the Service Provider's application admin console, navigate to the SAML SSO configuration page or section.
- Open the certificate file (.pem) you downloaded from 黑料海角91入口.
- Copy the contents of the certificate file
- Paste the contents of the certificate file in the designated place in the SAML SSO configuration page or section.
Refer to the Service Provider documentation to determine if 鈥-----BEGIN CERTIFICATE-----鈥 and -----END CERTIFICATE----- should or should not be included when pasting the certificate contents.
- Save the changes.
To update the Service Provider certificate in 黑料海角91入口
Some Service Providers require a Service Provider certificate. After you have updated the new 黑料海角91入口 IdP certificate, complete the following steps for each SAML SSO app integration you have configured that requires a Service Provider certificate.
To update the Service Provider certificate in 黑料海角91入口 by uploading the Service Provider metadata file
- From the Service Provider's application admin console, navigate to the SAML SSO configuration page or section.
- Select the option to download the Service Provider metadata file.
- Log in to the聽.听聽
- Go to USER AUTHENTICATION > SSO.
- Select an SSO application from the list.
- Click the SSO tab.
- Click Upload Metadata in the Service Provider Metadata section.
- Browse to the metadata file.
- Click Open.
- Click save.
To update the Service Provider certificate in 黑料海角91入口 by uploading the certificate file
- From the Service Provider's application admin console, navigate to the SAML SSO configuration page or section.
- Select the option to download the Service Provider certificate.
- Log in to the聽.听聽
- Go to USER AUTHENTICATION > SSO.
- Select an SSO application from the list.
- Click the SSO tab.
- Scroll to the Service Provider certificate section.
- Click Replace Service Provider Certificate.
For a pre-built SSO integration, if there is no section or button, a Service Provider certificate is not required.
- Browse to the certificate file.
- Click Open.
- Click save.
Rotate SCIM Token Keys
Prerequisites
- Admin login credentials are required for each Service Provider鈥檚 application for which a SCIM integration is configured.
Steps to take in 黑料海角91入口:
- Log in to the聽.听
- Go to USER AUTHENTICATION > SSO.
- Search for the application that you鈥檇 like to deactivate and click to open its details panel.
- Under the company name and logo on the left hand side, click Deactivate IdM connection under the Identity Management section.
- Click confirm to deactivate Identity Management for the application.
Steps to take in Service Provider:
- Disable existing token, if possible.
- Generate a new token.
Steps to take in 黑料海角91入口:
- Reconfigure Identity Management connection using the new token following the steps from the Help Center article specific to the app in question or the Custom SCIM integration.
Learn More:
- Custom SCIM integration
- Slack SCIM integration
- From /support, search for the application name of the application for which you configured a SCIM integration in 黑料海角91入口. The article name will be either 鈥淚ntegrating with {application name}鈥 or 鈥淚dentity Management with {application name}鈥
Regenerate OIDC Secrets
Prerequisites
- Admin login credentials for each service provider鈥檚 application for which an SSO OIDC integration is configured.
Steps to take in 黑料海角91入口:
- Log in to the聽.听
- Go to USER AUTHENTICATION > SSO and open the OIDC application.
- In the left aside, click Client Secret Valid > Regenerate Secret.
- Click Regenerate when the Regenerate Client Secret window appears
- Copy and store the new Client Secret in a safe location, like a password manager.
- Click Got It.
Steps to take in Service Provider:
- Update the Service Provider configuration with the regenerated Client Secret.
Learn More:
Additional Resources
- Enable MFA for all 黑料海角91入口 administrators and end users. To ensure MFA is set up for all accounts, see:
- Ensure you are enforcing rigorous password complexity requirements.