Updating certificates for an SP or IdP

Occasionally, you may need to update the service provider (SP) or identity provider (IdP) certificates for the federated pairs configured in Ivanti Access. You must update the certificates if the service provider or identity provider certificate is about to expire or has expired. Ivanti Access then provides notifications if the certificate expiration date is upcoming. The administrator can then update the certificate by providing the updated metadata. For information about certificate expiration notifications, see Certificate expiry notifications.

Ivanti recommends to update certificates for uninterrupted services.

Certificate information is available in the service provider or identity provider metadata you upload to Ivanti Access. Depending on whether you uploaded metadata, added metadata, or entered a metadata URL when configuring the federated pair, do one of the following to update the certificate:

• Certificate update if you uploaded metadata
• Certificate update if you entered a metadata URL
• Certificate update if you entered a metadata URL

Ivanti Access only consumes the information in the metadata. If the metadata references an expired certificate or soon-to-expire certificate, Ivanti Access continues to show the certificate expiration notifications.

Certificate update if you uploaded metadata

Do the following if you uploaded metadata from the service provider (SP) or identity provider (IdP) when configuring the federated pair.

Procedure 

1. Get the metadata from the affected SP or IdP.
   See Ivanti Access Cookbooks for more details.
   

2. Go to Profile > Federation.
   
   
   
   

3. Click Update beside the warning message to update the certificate for the SP or IdP. The Update IDP metadata screen displays.
   
   
   

   1. (Optional) Click Edit to provide an URL or to add metadata instead of Upload Metadata. OR
      
   2. Click Choose File to upload the metadata data for the SP or the IdP as appropriate.
   3. Click Upload Metadata.
   4. Click Done.

Related topics 

• For information about getting metadata from the SP or IdP, see "Before you begin" in Configuring federated pairs.

• For information about editing a federated pair, see Editing a federated pair.

• For information about downloading the Ivanti Access proxy metadata and uploading the proxy metadata to the SP or IdP, see Uploading proxy metadata.

Certificate update if you added metadata

Do the following if you added a metadata when configuring the federated pair.

Procedure 

1. Go to Profile > Federation.
2. Click Update beside the warning message to update the certificate for the SP or IdP. The Update IDP metadata screen displays.
   
   
   
   
   1. Update the certificate.
      If a valid certificate is updated, a confirmation message displays that the update is successful.
      
      
      
      
      
   2. (Optional) Click Edit to change metadata to provide URL or Upload Metadata instead of Add Metadata.

Certificate update if you entered a metadata URL

Do the following if you entered a metadata URL when configuring the federated pair.

Procedure 

1. Go to Profile > Federation.
   
   
   
   

2. Perform one of the following actions based on the changes:

   1. Update link for Metadata expired or expiring : The Update IDP metadata window opens sync option is available. Click Sync metadata to complete the update. However, the modified attributes are not listed.

   2. Update link for change in metadata: The Update IDP metadata window opens and the modified attributes are listed along with a sync button. Click Sync metadata to complete the update.
      
      
      

   3. Update SP or IDP metadata via menu option : This is a one-click sync operation link. Clicking on the menu option syncs the metadata automatically and the quick update window displays the attributes that are modified.
      
      

   
   

3. (Optional) Click Edit to Upload or Add Metadata instead of Metadata URL.
4. Click Sync metadata > Close.
   A sync completed successfully confirmation message displays.
   

For Office 365 and Microsoft ADFS, when the Office 365 domain is federated with Ivanti Access and Ivanti Access is federated with ADFS, ADFS metadata is uploaded in Ivanti Access or it can provided using metadata URL.

ADFS has certificate rollover functionality where it provides both primary and secondary signing certificates in the metadata. When the primary is about to expire, ADFS switches to secondary certificate. Ivanti Access also uses the certificate which has later expiry date and monitors that certificate. This does not break the authentication.

However whenever the certificate is updated on ADFS side, it must either be uploaded in Ivanti Access by providing new ADFS metadata or can also be synced using "Sync IdP Metadata" if ADFS metadata is provided using url.
For more information, see https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-o365-certs.

Related topics 

• View federated pairs
• Service provider (SP) metadata
• Identity provider (IdP) metadata