Managing the Imprivata IdP Certificate for WebSSO

SAML certificates are used to confirm the authenticity and integrity of messages exchanged between Service Providers/SPs (web applications) and the Identity Provider/IdP (Imprivata Web SSO).

These certificates are included within the SAML metadata files exchanged between the IdP and SP during initial WebSSO setup.

After either certificate expires, your end users will not be able to log into SP applications you have enabled for Imprivata Web SSO. After you replace the expired certificate, access with Imprivata Web SSO will be restored.

If an SP certificate is expiring, see Managing SP Certificates for Web SSO.

IdP Certificate Expiring

The IdP certificate expires two years after it is enabled. You will receive an alert on the Imprivata Admin Console beginning 60 days before it expires. The alert includes the date of expiry, and lists all SPs that use the IdP certificate.

An email notification is also sent to the administrator 60 days and 30 days before the IdP certificate expires, and every day of the last week before it expires.

When the IdP certificate is going to expire in less than 60 days, a new certificate will be generated automatically. The IdP metadata will contain two certificates until the old certificate has expired.

During this 60-day period, either of the certificates can be used for WebSSO.

Any new application profiles that are added to your enterprise during that period will use the new certificate.

When the old certificate expires, all of the applications will be automatically switched to use the new certificate.

In the Imprivata Admin Console, click on the alert to view the web app(s) that use the expiring IdP certificate, and update the certificate for each web app by reconfiguring the IdP metadata.

As the web application is updated, simultaneously start using the new IdP certificate.

Provide IdP Certificate to the Web Application

  1. On the Imprivata Admin Console, go to Applications > Single sign-on application profiles.

  2. Click Edit Profile for the SAML application.

  3. Under Identity provider (IdP) metadata, click View and copy your Imprivata enterprise (IdP) SAML metadata.

  4. Download the IdP certificate or copy the metadata URL, depending on how your SP consumes the metadata. See the Imprivata Help topic for the web app for details.

  5. Upload the new IdP certificate to the Service Provider manually or via the metadata.

Start Using New IdP Certificate

  1. In the Imprivata Admin Console, go to Applications > Single sign-on application profiles.

  2. Click Edit Profile for the SAML application.

  3. Under Identity provider (IdP) metadata, click Start using new IdP certificate.

    Imprivata can now use the new IdP certificate for SAML assertions with this web application.

  4. Return to the Imprivata Admin Console. The alert should no longer be displayed.

NOTE:

Because more than one SP uses the IdP certificate, the expiring certificate is still valid after the new certificate is generated. This provides a grace period to transition all SPs to the new certificate and keeps the old IdP certificate valid until its expiration date.