Skip to main content

Single Sign on

Update SAML2 certificate

Overview

Using the SAML2 Singe Sign On integration, you can connect your Identity Provider with Flexopus (Service Provider) and ensure a smooth login experience for your users. The data is exchanged between the Flexopus and your Identity Provider securely. A certificate is shared with Flexopus to ensure this secure communication. The certificates have an expiration date, depending on your security settings, it can expire in 1 year, 3 years or in some cases in 5 years.

Your system administrator issues a new certificate after the old one is getting expired. The new certificate needs to be shared with Flexopus to ensure a seamless single sign in functionality.

💡
Important! If you change the certificate, it may break the login for the users. Make sure the new certificate is known by Flexopus through the proper metadata configuration.
Metadata configuration within Flexopus

Flexopus offers two ways to configure the SAML2 SSO:

  • Metadata URL
  • Metadata file
💡
Note! Flexopus reads the provided metadata file or URL in every 24 hours. Or, if you change the SSO settings and save it: Open the SSO settings and press SAVE.

The metadata file includes the current certificate. Usually, it's the long texts between the X509Certificate elements:

<X509Certificate>XYZXYZ...</X509Certificate>

If you configured the metadata file with a URL, then the URL is basically pointing to the current metadata file. Flexopus is fetching the file once a day and caching it on the server. In case, the metadata file changed, Flexopus will fetch the data within 24 hours. In case you want to fetch the file faster, go to the SAML2 SSO configuration page in Flexopus, select the configuration and SAVE. Saving the configuration will trigger the fetching process and will update the certificate.

💡
Warning! The new metadata file with the new certificate will be fetched automatically within 24 hours, still we recommend fetching the metadata file manually with the SAVE button, to avoid possible failed login attempts meanwhile.

--

This configuration is used mostly by customers using Microsoft Azure Active Directory:

Azure Active Directory SAML2 SSO | Flexopus
Learn how to integrate Flexopus with Azure Active Directory using SAML2 for secure single sign-on and streamlined user management.

Metadata File

In some cases, the there is no metadata URL, due to a security configuration or due to a lack of functionality in your Identity Provider. In this case, the metadata is uploaded as a file into Flexopus. In this case, the current certificate is in the metadata file. If a new certificate is issued, Flexopus will know nothing about it, unless you upload the new metadata file with the new certificate into Flexopus.

Important! You need to upload a new metadata file with the updated certificate; otherwise, the users will not be able to log in.

--

This configuration is used mostly by customers using Microsoft AD FS or Google Workspace:

Microsoft AD FS SAML2 SSO | Flexopus
Learn how to integrate Flexopus with Microsoft AD FS using SAML2 for secure single sign-on and centralized user management.
Google SAML2 SSO | Flexopus
Learn how to integrate Flexopus with Google Workspace using SAML2 for secure single sign-on and streamlined user management.

Recommendation

Generally, it's recommended to update certificates in an overlapping way. The old certificate should be still valid for a few days, weeks parallel to the new certificate. This way, the external systems such as Flexopus will be able to update the certificates in a reasonable time, and you are not breaking the integrations immediately. Due to our experience, not all Identity Providers are providing the functionality to have multiple valid certificates parallel. Try to overlap the certificates in case of an update, if technically possible.