SAML certificate expiry - FAQ

Am I affected by this?

Your organisation will be affected if:

1. You are using certain SAML local connectors

2. You are using 1:1 connections to SAML resources

3. You are a service provider (see: Updating signing certificates for OpenAthens IdPs)

What is a SAML signing and encryption certificate?

OpenAthens uses a standard called SAML (Security Assertion Markup Language) to enable single sign-on (SSO). SAML is a widely-used standard that lets two parties exchange information.

Part of the exchange uses signing and encryption certificates to make sure that your login process is secure. The signing certificate verifies that the message comes from the right sender and hasn’t been altered. The encryption certificate makes sure that the message is private.

Both of these certificates are in a SAML entity’s metadata. SAML applications rely on these certificates to verify the authenticity and integrity of messages exchanged between the Identity Provider (IdP) and the Service Provider (SP).

What is going to happen with the certificate?

OpenAthens’ certificates have a ten-year lifetime. The current certificate expires in February 2025.

You need to make sure that all copies of our certificate that you are using are updated before the certificate expires. If an expired certificate is used, the information becomes unreadable and untrustworthy. Without this validity, communication breaks down and access to resources is lost.

What do I have to do to check or update the certificate on my local connector?

It's only SAML based local connectors that are affected. We only contacted those that hadn’t picked up the new certificate automatically. Examples of SAML connectors are: Azure, ADFS, Google, Okta

For instructions, see: Updating metadata or relying party certificates for SAML local connectors

What do I have to do to check or update my 1:1 resources?

For 1:1 connections (also called custom SAML resources, bilateral connections, peer to peer connections), they will all need to be updated with the new certificate. In some cases you can do this via the resource’s configuration interface, but in many you will need to pass details to the provider.

OpenAthens will be contacting the most popular resource providers, listed at https://resource.status.openathens.net/#/incident/VmTuVkI_CsZgFvcrqiumKkJxBZ9Xkx6YcCpA_ZijKM8POgStzPdJeeQHrpG4BK_A5kMSwSiGut0WuJQw8XqtEA==

If you have resources on this page in your administration area (Resources > Catalogue – Custom tab) that aren’t on the list above you will need to address them.

 For more, see: Updating the certificate used by custom SAML resources

Which is the old certificate?

The old certificate has the following properties:

• Serial Number: 54 ec 42 22

• Issued On: Tue Feb 24 2015 09:20:06 GMT+0000 (Greenwich Mean Time)

• Expires On: Mon Feb 24 2025 09:20:06 GMT+0000 (Greenwich Mean Time)

• SHA-256 Fingerprint: 32 9d 94 4c 88 db 14 98 4d b2 91 78 df ad 3b 39 da 80 01 1a 75 50 2a 80 d5 69 9b 57 7c 9b b2 aa

• SHA-1 Fingerprint: 0e ae 65 d2 77 e2 63 b7 17 be 07 1a 5d 85 25 75 21 29 da 8d

Where can I get the new certificate?

The new certificate is available from: both Updating metadata or relying party certificates for SAML local connectors and Updating the certificate used by custom SAML resources 

I have checked the certificate expiration date, and it is updated, do I need to do anything else?

If the new certificate has been picked up automatically, is already in use and everything’s working fine, then you don’t need to do anything unless you are also configured to check or sign requests or responses.

If so you will need to update the signing certificate with the new one on 3 Feb. Certificate details as above.

What do I have to do to update the certificate?

Unfortunately there’s no answer that will fit all circumstances. In general though:

• If your local directory (or 1:1 resource) can support multiple certificates, then use both old and new alongside each other. You can remove the old one after it expires

• If your local directory (or 1:1 resource) can only support one certificate at a time, you will need to make the updates on the date of the change (12:00 UTC 3 February 2025)

See also:

• Updating metadata or relying party certificates for SAML local connectors

• Updating the certificate used by custom SAML resources

How do I find my OpenAthens IdP metadata?

Some 1:1 resources may need your OpenAthens IdP metadata, you can find it at

https://login.openathens.net/saml/2/metadata-idp/YOUR_API_NAME

… where YOUR_API_NAME is the same as your root scope (e.g. example.com)

(except if you are part of NHS England)

See also:

• how to access your login.openathens.net metadata

• Our service desk will also be happy to help

I have custom SAML resources. Do I need to contact all of the providers?

We are going to contact the SPs of the most common custom SAML resources about this. You will only need to contact the SPs that are not in this list:

https://resource.status.openathens.net/#/incident/VmTuVkI_CsZgFvcrqiumKkJxBZ9Xkx6YcCpA_ZijKM8POgStzPdJeeQHrpG4BK_A5kMSwSiGut0WuJQw8XqtEA==

Will the certificate expiration affect Lightweight Directory Access Protocol (LDAP) connections?

No, LDAP connections do not use SAML so will not be affected.

I am a member of the UK Access Management Federation or InCommon Federation. Do I need to do anything?

If you are part of the UK Access Management Federation or InCommon Federation, you will receive an email with further information on how to proceed.

What should I do if I need help or have an issue that isn’t covered in the FAQ?

Our service desk will be happy to help.