Replacing SSO certificates before they expire

During Single Sign-On (SSO) setup, you downloaded one or more Service Provider (SP) files from the Secure Endpoint Console and uploaded them to the Absolute SP configuration in your IdP.

These files include certificates that contain a public key for encryption, signature verification, or both. Each certificate has an expiration date set to 3 years from its creation date. Before the current certificates expire, you need to download new files and upload them to your IdP. If certificates are not replaced before they expire, users will be unable to log in to the Secure Endpoint Console.

System Administrators (and any custom user role granted Manage permissions for Authentication) will receive an email notification when new files are available for download. These notifications begin 30 days prior to the certificate expiration date. An announcement will also be displayed in the Secure Endpoint Console.

Your Identity Provider (IdP) certificate also has an expiration date. For more information about updating an expiring IdP certificate, refer to the documentation provided by your IdP.

If your certificates have already expired and you can't log in to the Secure Endpoint Console, contact Absolute Technical Support.

To download new files for upload to your IdP:

  1. Monitor your Inbox for an Absolute email notification notifying you that your Absolute SP certificate is due to expire. Email notifications are sent 30 days, 15 days, and 2 days prior to the expiration date.
  2. Log in to the Secure Endpoint Console as a user with View or Manage permissions for Authentication. The System Administrator role is the only default role with these permissions.
  3. On the navigation bar, click Settings > Authentication settings.
  4. In the Single Sign-On area, click View Identity Provider. The existing configuration information for the IdP shows.

  5. Depending on the requirements of your IdP, do the following under Download Absolute Service Provider Metadata and Certificates:

    If you are unsure which files to download, review the existing Absolute SP configuration in your IdP.

    • To download new certificates, click Download Encryption and Signing Certificates. Depending on the number of certificates included in the package, one of the following files is downloaded:
      • absolute-cert-<expiration date>.pem: individual certificate file containing the SP public key for both encryption and signature verification
      • absolute-certs.zip: zip file containing multiple .pem files for encryption, signature verification, or both

    • To download new signing certificates, click Download Signing Certificates.

      Only perform this step if your IdP requires separate signing certificates for signature verification.

      The absolute-certs.zip is downloaded.

      Note that this zip file contains two absolute-cert-<expiration date>.pem files:

      • Current signing certificate, which is required for signature verification until its expiration date
      • New signing certificate, which is required for signature verification after the current certificate expires

      You will need to add both files to the Absolute SP configuration in your IdP.

    • To download a new Absolute metadata file, click Download Metadata. The absolute-metadata.xml file is downloaded.
  6. Log in to your identity provider.
  7. Complete the steps to upload the applicable certificate files, as required. For more information, refer to the documentation provided by your IdP.
  8. Complete the steps to upload an SP metadata file, as required. For more information, refer to the documentation provided by your IdP.
  9. Log out of the Secure Endpoint Console and attempt to log back in. If you are able to log in, the certificates are updated. If you are unable to log in, contact Absolute Technical Support.