Connection and federation metadata
Certificate rotation uses a number of inherent capabilities which enable it to deploy new certificates to replace current certificates in enabled connections.
Certification rotation is a per-certificate configuration. When certificate rotation is enabled for a certificate and a new certificate using new key pairs becomes available, PingFederate deploys the new certificate to all enabled connections that use the original certificate. The actions taken by PingFederate vary depending on the role of the certificate.
Notifications
Although optional, you can turn on notifications for certificate events in System → Monitoring & Notifications → Runtime Notifications. When configured, PingFederate notifies the configured recipient when a new certificate is available and when it is activated. Depending on the role of the certificate, you can update your partner accordingly.
Signing certificate
When the Creation Buffer threshold is reached, a new certificate is created. For all web browser single sign-on (SSO) (SAML and WS-Federtion) connections using the same signing certificate, PingFederate starts including the new certificate (along with the current certificate) in their metadata. PingFederate keeps using the current certificate for signing until the remaining lifetime of the current certificate reaches the Activation Buffer threshold, at which point PingFederate starts signing with the new certificate and removes the previous certificate from the metadata.
To prevent SSO outages, partners must update their connections to use the new certificate to verify digital signatures before the Activation Buffer threshold is reached. |
XML decryption
When a new certificate is made available, PingFederate performs the following tasks for all SAML 2.0 connections using the same decryption key:
-
Pushes the current decryption key from primary to secondary
-
Places the new certificate as the primary decryption key
-
Updates the decryption key with the new certificate in the metadata
-
Starts using the new decryption key to decrypt inbound messages. If the primary decryption key fails, PingFederate fails over to the secondary decryption key
When the remaining lifetime of the current certificate reaches the Activation Buffer threshold, the secondary decryption key is removed from the SAML 2.0 connections.
When PingFederate is configured to generate notifications for certificate events, PingFederate also notifies the configured recipient when the existing RSA decryption key is about to expire.
For XML decryption keys, PingFederate only supports the RSA key algorithm. When EC (elliptic curve) is selected as the Key Algorithm value on the Certificate Rotation tab, PingFederate does not update the SAML 2.0 connections and their metadata. |
To prevent SSO outages, partners must update their connections to use the new certificate to encrypt messages before the Activation Buffer threshold is reached. |
Federation metadata for Browser SSO connections
PingFederate updates the metadata for the applicable web browser SSO connections as soon as a new certificate is available.
To ensure that your partners are aware of the new certificate, you can provide their respective federation metadata by URLs or exports.
- Metadata by URL
-
PingFederate runtime engine provides an endpoint (
/pf/federation_metadata.ping
) to return metadata for web browser SSO connections. A service provider (SP) or an identity provider (IdP) is identified by its entity IDs using thePartnerSpId
query parameter or thePartnerIdpId
query parameter, respectively, as illustrated in the following examples.
Partner | Federation metadata URL to be given to the partner |
---|---|
An SP partner with an entity ID of SP1. |
https://www.example.com:9031/pf/federation_metadata.ping? |
An IdP partner with an entity ID of IdP1. |
https://www.example.com:9031/pf/federation_metadata.ping? |
The base URL for the PingFederate runtime engine is https://www.example.com:9031 |
In a clustered environment, because the console node is responsible for creating and applying the new certificates to all applicable connections, you must replicate the new certificate to the engine nodes in System → Server → Cluster Management when the new certificate is available, so that the federation metadata for these connections is updated accordingly. The administrative console reminds you to replicate configuration when it detects configuration changes. |
- Metadata by manual export
-
Alternatively, you can export a metadata file for a connection from the Connections Management window or System → Protocol Metadata → Metadata Export.
PingFederate does not deploy new certificates or update metadata for inactive connections. |
WS-Trust STS connections
For connections with only the WS-Trust security token service (STS) profile, you must export the new pending certificate and pass it to your partners out-of-band before the Activation Buffer threshold is reached.
If a connection contains both the Browser SSO and the WS-Trust STS profiles, the new certificate is included in the federation metadata for the Web Browser SSO profile. Your partner can reuse the certificate from the metadata by URL or manual export and apply it to its STS configuration.