Portal: SAML metadata auto renewal (certificates)

Idea created by SGIS_TAC on Feb 1, 2019
    New
    Score40
    • reid.ellis@timmons.com_Timmons_Group
    • pieterjoost.sleijpen@atos.net
    • john.m.dye
    • SGIS_TAC

    SAML Metadata

     

    Within the SAML protocol, metadata, including certficates, must be refreshed. Metadata/Certificates have a specific end date, and at some point with security incidents, metadata/certificates may be revoked and replaced.

     

    With the current version of Portal (and ArcGIS Online), this metadata must be refreshed manually, by uploading the metadata xml.

     

    Benefits

     

    The SAML protocol has a feature to have auto-renewal of this metadata.  We want this to be implemented in the ArcGIS Portal (including ArcGIS Online).

     

    Benefits are:

    - No manual interaction when certificate is renewed on shedule

    - No outage when on incidents the certificate is revoked and renewed on an earlier unplanned time

    - No outage, downtime window, when manual renewing:  when manual renewing, you can only have 1 certificate active, where auto renewal has overlapping 2 certificate period

     

    Deadline

     

    At our organisation this auto-renewal is implemented and followed by 90% of the applications that are connected. We as GIS departement are handicapped with the manual refresh. IT-security department has given us the deadline for end of 2019 to implement this. Since it is part of the standard portal functionallity I have to ask Esri to implement this.

     

     Metadata auto-renewal information

    The IDP token singing certificate is an important part of the security within the SAML protocol. In the our scenario the signing certificate expires each 2 years. The signing certificate is automatically renewed by the IDP upon it’s expire date. The IDP automatically updates his metadata upon this so the new certificate is reflected in the metadata. However, this certificate renewal will cause the trust between the SP and IDP to break, until the SP administrator (manually) imports the new IDP metadata.

    To prevent outage of SSO to an SP, auto-renewal can be used to periodically (daily) check the metadata url for changes and automatically import the new metadata file towards the SP if a change is detected.