Help Center/ IAM Identity Center/ User Guide/ Identity Source Management/ Configuring an External Identity Provider/ Managing Certificates
Updated on 2023-10-16 GMT+08:00
View PDF
Share

Managing Certificates

IAM Identity Center uses certificates to set up a SAML trust relationship between IAM Identity Center and your external identity provider. When you change the identity source to an external identity provider, you must also obtain at least one SAML 2.0 certificate from the external identity provider. The certificate is usually included in the IdP SAML metadata file and automatically installed during the metadata file upload.

You may need to import certificates periodically to rotate invalid or expired certificates issued by your identity provider. This helps prevent authentication disruption or downtime. The process of replacing old certificates with new ones is called certificate rotation. All imported certificates are automatically active. A maximum of two certificates are supported. Certificates can be deleted only after you ensure that they are no longer in use by the associated identity provider.

You should also consider that some identity providers may not support multiple certificates. In this case, rotating a certificate may temporarily interrupt services for your users. After the certificate is rotated and the trust with the identity provider is re-established, services will be restored. You are advised to rotate certificates during off-peak hours.

As a security best practice, upon any signs of compromise or mishandling of an existing SAML certificate, you should immediately remove and rotate that certificate.

Rotating a Certificate

  1. Obtain a new certificate from your identity provider.

    Go to the identity provider website and download the SAML 2.0 certificate. Make sure that the certificate file is downloaded in PEM encoding format. Most identity providers allow you to create multiple SAML 2.0 certificates, which are likely to be marked as disabled or inactive.

  2. Import the new certificate to IAM Identity Center.

    1. Log in to the Huawei Cloud console.
    2. Click in the upper left corner of the page and choose Management & Governance > IAM Identity Center.
    3. Choose Settings in the left navigation pane.
    4. On the Identity Source tab, click Modify SAML 2.0 Configuration in the Authentication Method row.
    5. On the displayed page, click Import.
    6. In the displayed dialog box, click Select File, select the obtained new certificate, and click Import Certificate.
      Figure 1 Importing a certificate

    Then IAM Identity Center will trust all incoming SAML messages signed from both of the certificates that you have imported.

  3. Activate the new certificate in the external identity provider.

    Return to the identity provider website and mark the new certificate that you created earlier as primary or active. All SAML messages signed by the identity provider should be using the new certificate.

  4. Delete the old certificate.

    Before deleting this certificate, ensure that your identity provider no longer uses this certificate to sign SAML responses.

    There must always be at least one valid certificate in the certificate list.

    1. On the Manage SAML 2.0 Authentication page, select the certificates to be deleted and click Delete.
    2. In the displayed dialog box, enter DELETE and click OK.
      Figure 2 Deleting a certificate
    3. Return to the identity provider website and delete the old certificate.