SAML - Key Sign Rollover

0
Hi, Every so often SAML SSO stops working on our app and we have to re-establish the connection by creating a new connection. I've looked at the logs and we get this erro when SAML stops working. 08:45:29APPERRORSAML_SSO: Unable to validate Response, see SAMLRequest overview for detailed response. Error: org.opensaml.xml.validation.ValidationException: The assertion is not signed correctly 08:45:29APPERRORSAML_SSO: org.opensaml.common.SAMLException: org.opensaml.xml.validation.ValidationException: The assertion is not signed correctly I've been looking into why this happens and have found the following: https://stackoverflow.com/questions/49638670/azure-ad-saml-authentication-signing-certificate-change Essentially Azure uses Signing key rollover for security https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-signing-key-rollover For security purposes, Azure AD’s signing key rolls on a periodic basis and, in the case of an emergency, could be rolled over immediately. Any application that integrates with Azure AD should be prepared to handle a key rollover event no matter how frequently it may occur. If it doesn’t, and your application attempts to use an expired key to verify the signature on a token, the sign-in request will fail. The Mendix SAML2.0 module does not see to take this into account and SAML needs to be set up again, please could you advise if the SAML module can deal with this (and I just have not found it yet). If it does not provide this, please could you advise on any solutions we can try. Many thanks, Garion
asked
1 answers
1

But would a refresh of the metadata not cure this? I think the current SEF refreshes it daily. You could change this interval to do it even more. Was this SEF active?

Regards,

Ronald

 

answered