Frequently asked questions - certificate expiration

1. What is a SAML signing and encryption certificate?

OpenAthens uses a secure system called SAML to make logging in easier with single sign-on (SSO). SAML (Security Assertion Markup Language) is a widely-used standard that lets one service, called an identity provider (IdP), verify your login details. Once you're authenticated, the identity provider sends a secure key to another application, known as a service provider (SP), so you can access it without having to log in again.

SAML signing and encryption certificates help to make sure that your login process is secure when using SAML authentication. While the signing certificate verifies that the message really comes from the right sender and hasn’t been altered, the encryption certificate makes sure that the message is protected and no one can read it, keeping it safe and private.

Signing and encryption certificates are included in a SAML entity’s metadata. SAML applications rely on these certificates to verify the authenticity and integrity of messages exchanged between the Identity Provider (IdP) and the Service Provider (SP).

2. What is going to happen with the certificate?

OpenAthens’ certificates have a ten-year lifetime. The current certificate expires in February 2025.

Customers need to ensure that all copies of our certificate that they are using are updated before the certificate expires to maintain access to resources. If a certificate expires without being updated, any information that is encrypted or signed will become unreadable or untrustworthy. This may cause a disruption, breaking the connection between the Identity Provider (IdP) and the Service Provider (SP) and resulting in a loss of access to resources.

3. Where can I find the certificate?

The location of the certificates varies for each customer. Typically, your IT team can provide the necessary details. If you have trouble finding it, please contact us at help@openathens.net

4. How do I know which certificate needs to be updated?

The current OpenAthens certificate that needs to be replaced in February 2025 is:

·       Serial Number: 54 ec 42 22

·       Issued On: Tue Feb 24 2015 09:20:06 GMT+0000 (Greenwich Mean Time)

·       Expires On: Mon Feb 24 2025 09:20:06 GMT+0000 (Greenwich Mean Time)

·       SHA-256 Fingerprint: 32 9d 94 4c 88 db 14 98 4d b2 91 78 df ad 3b 39 da 80 01 1a 75 50 2a 80 d5 69 9b 57 7c 9b b2 aa

·       SHA-1 Fingerprint: 0e ae 65 d2 77 e2 63 b7 17 be 07 1a 5d 85 25 75 21 29 da 8d

5. I have checked the certificate expiration date, and it is updated, do I need to do anything else?

The new certificate will be made live on 3 February 2025 12:00 UTC. It has the following properties:

Not Before: Apr  9 13:15:36 2024 UTC

Not After : Apr  9 13:15:36 2034 UTC

Serial number: 33e64f9cd5aef2c20b113d3cf08a36c34d80e715

If the new certificate is already in use and everything’s working fine, then you don’t need to do anything. This is usually because the software you're using has an automated system that regularly updates the certificate and might automatically switch to the new one.

6. The certificate has not been updated. What do I have to do to update the certificate?

You will need to update to the new certificate (See question 5) and make sure it is in place by 3rd February 2025 to prevent any disruption to resource access. If your system allows you to use multiple certificates, you can have both the new and old certificates in place without any issues. However, you shouldn’t remove the old certificate until you receive notification from the OpenAthens team that it is safe to do so. If your system only supports one certificate at a time, then the certificate will have to be updated on the 3^rd of February.

There are three situations where the certificate expiration might impact you, depending on which of the following situations apply:

a.     You are using a local directory integration to provide access to your users
Some connector interfaces do not use certificates, or we know that they will automatically update (e.g. LDAP, Azure/Entra). We only contacted customers whose LDI may require updating.

If you have an LDI that uses SAML, in some cases the metadata will be updated automatically, in some other cases you will have to refresh the metadata manually. Please review the documentation about updating metadata or relying party certificates for SAML local connectors for more information.

We encourage you to pass this information to your technical team to ensure they are aware of the forthcoming certificate expiry and assist in making a decision. If necessary, they can also raise a ticket with us for further support.

b.     You have custom SAML 1:1 (Bilateral / Peer-to-Peer) resources in your catalogue
If you have custom SAML resources (or 1:1 connections) in your catalogue, the Service Provider or publisher (SP) will need to update your OpenAthens IdP metadata and/or certificate. In some cases, you may be able to update the resource yourself through an interface on the publisher’s website. In others, you may need to contact someone else or get in touch with the service provider or publisher to ask them to update the certificate.

OpenAthens will be contacting the most popular resource providers (see question 8), but for some of the less common resources, you may have to contact the Service Provider directly and ask them to update your metadata.

Please review the documentation updating the certificate used by custom SAML resources for more information.

c.      You are a Service Provider or publisher (SP)
If you use Keystone, you won’t need to take any action, as this process will happen automatically.

If you are not using Keystone but are regularly updating the metadata and can support two certificates at once, then you don’t need to do anything. Otherwise, you’ll just need to refresh your metadata cache or re-load it, depending on the configurations you have. Please review the documentation about updating signing certificates for OpenAthens IdPs for more information.

We encourage you to share this information with your technical team, so they are aware of the event and can help make the right decision. If needed, they can also reach out to us by submitting a ticket for additional support.

7. How do I find my OpenAthens IdP metadata?

In case you need to provide the custom resource publisher with your OpenAthens IdP metadata, you can normally find it at

https://login.openathens.net/saml/2/metadata-IdP/[customer’s domain].

Please review the documentation about how to access your login.openathens.net metadata for more information. You can contact us at help@openathens.net if you have any problems obtaining the metadata URL.

8. I have custom SAML resources. Do I need to contact all of the providers?

At OpenAthens, we are going to contact the SPs of the most common custom SAML resources to let them know about the certificate expiration. Please review the list . You will only need to contact the SPs that are not in the mentioned list.

You will have to review the list of resources in your catalogue that are flagged as “SAML” and contact any service providers that don’t appear in the list.

Note: You do not need to do anything with resources marked as "custom".

9. Will the certificate expiration affect Lightweight Directory Access Protocol (LDAP) connections?

No, LDAP connections will not be affected.

10.   I am a member of the UK Access Management Federation and/or InCommon Federation. Do I need to do anything?
If you are part of the UK Access Management Federation and/or InCommon Federation, you will receive an email with further information on how to proceed.

11.    What should I do if I need help or have an issue that isn’t covered in the FAQ?

If you can’t find the answer to your question here or if you’re experiencing an issue, don’t worry—our support team is here to help! Please feel free to reach out to us by raising a ticket through our support portal or send us a direct email to help@openathens.net.