Select to view content in your preferred language

Portal: SAML metadata auto renewal (certificates)

02-01-2019 01:55 AM
Status: Open
New Contributor III

SAML Metadata

Within the SAML protocol, metadata, including certficates, must be refreshed. Metadata/Certificates have a specific end date, and at some point with security incidents, metadata/certificates may be revoked and replaced.

With the current version of Portal (and ArcGIS Online), this metadata must be refreshed manually, by uploading the metadata xml.


The SAML protocol has a feature to have auto-renewal of this metadata.  We want this to be implemented in the ArcGIS Portal (including ArcGIS Online).

Benefits are:

- No manual interaction when certificate is renewed on shedule

- No outage when on incidents the certificate is revoked and renewed on an earlier unplanned time

- No outage, downtime window, when manual renewing:  when manual renewing, you can only have 1 certificate active, where auto renewal has overlapping 2 certificate period


At our organisation this auto-renewal is implemented and followed by 90% of the applications that are connected. We as GIS departement are handicapped with the manual refresh. IT-security department has given us the deadline for end of 2019 to implement this. Since it is part of the standard portal functionallity I have to ask Esri to implement this.

 Metadata auto-renewal information

The IDP token singing certificate is an important part of the security within the SAML protocol. In the our scenario the signing certificate expires each 2 years. The signing certificate is automatically renewed by the IDP upon it’s expire date. The IDP automatically updates his metadata upon this so the new certificate is reflected in the metadata. However, this certificate renewal will cause the trust between the SP and IDP to break, until the SP administrator (manually) imports the new IDP metadata.

To prevent outage of SSO to an SP, auto-renewal can be used to periodically (daily) check the metadata url for changes and automatically import the new metadata file towards the SP if a change is detected.


Azure AD is now refreshing certification every 3 years, but it can be refreshed more often (more secure).  Please introduce certificate autorenewal for SAML and OpenID connect, to prevent outage.


In my situation, I don't need to update the metadata automatically, but I would like an email immediately on any change to the metadata. It would be great if I could update automatically, but only certain users at my institution can submit metadata files.


I wanted to ask is possible to have an automatic notification (1 or 2 months before) from portal any time this certificate is going to update?
So we can prepare alignment with our certificate.