After Centrify Identity Platform release of version 17.6, how can an Administrator update the signing certificates for SAML or Office 365/WS-Fed apps and OpenID Connect (OIDC) apps to use SHA256 Algorithm to replace the legacy SHA1 certificate?Answer:
As of build 17.6, a new section of the Centrify Admin portal becomes visible, which shows all signing certificates issued or used by the tenant. A new SHA256 certificate will be created and will be the new default, so all new apps moving forward will automatically use a certificate with a SHA256 Algorithm. For apps pre-17.6 build, in tenants configured pre-July 2016 or that are using a SHA1 signing certificate, the following steps are needed to update existing Apps to use the new certificate algorithm.For SAML Apps, WS-Fed Apps and OpenID Connect Apps
1. Login to the Centrify Admin portal and browse to Settings>Authentication>Signing Certificates.
2. Confirm that the new default certificate is now using SHA256 Algorithm. If this has been changed to another, non SHA256 certificate, simply check the box and in the action menu select as default. Here additional certificates used for signing can be uploaded if needed as well.
3. Once confirmed, next download the certificate and store for use on next step. Note that this can also be done via the App itself.
4. Next, browse to the App that will be updated. In the Application settings, the certificate in use will be displayed in a drop menu, with the certificate info below it.
5. Expand the drop menu, and choose the new default certificate, which is using the SHA256 Algorithm. *CAUTION* Before saving, be prepared with the corresponding App configuration page for the Service Provider (SP). (In this example, an Administrator should have the Box side SAML configuration screen also open.) As soon as the new certificate is saved in Centrify, all User log in to the app will fail by design. This will continue until the new cert is used to replace the old on the SP side under the signing certificate section.
6. The last step, as indicated by the caution message, is to upload the certificate to the SP side for the signing certificate. Some SP's may allow multiple signing certificates, but an Administrator should be prepared for a brief outage
while the certificate is saved in both Centrify and the SP side. Once they are both matching, log in will continue to work as before.
If the SP does not allow or have an option for certificate uploads, and instead uses metadata xml upload, then rather than downloading the certificate for upload, the Administrator should download the metadata AFTER
saving the new certificate. Then, upload the new metadata instead. This can be done using the "Download Identity Provider SAML metadata" url located near the certificate selection screen.
Steps may vary based on the SP, and should be investigated prior to the SP upload step to ensure the correct option is selected on the Centrify side.
*If the SP has already deprecated the SHA1 Algorithm certificates, then simply follow the same steps to correct. For Office 365 WS-Fed +Provisioning App update:
1. Office 365 app has an automatic way of doing the above for Federated domains, which are owned. To update, an Administrator should follow steps 1 and 2 above.
2. Once completed with the above steps, next, select the domain(s) which are Federated and Owned, and choose to "Refederate Domain" in the Action menu. *Note- If the option to Refederate is missing, an Administrator should first take Ownership of the domain in the action menu for the domain. This should be done for all domains which are Federated.