SSO Identity Provider expiring

Kent_CBD
New Contributor II

We have set up Single Sign-on via Azure, and it works like a charm.

However, a couple of weeks ago, an alert popped up that the "Signing Certificate issued by SSO Identity Provider is expiring in .. days".

I followed the instructions to "Visit your SSO Identity Provider to update the certificate", and the newly activated certificate is valid until June 2026.   But, the alert does not go away.  

 

In the SSO settings, we originally linked to a URL for the Identity Provider Metadata Source; and, this URL did not change in Azure when the new certificate was activated.  I tried to replace the URL with the updated metadata file, but still no change in the alert.

 

I suspect that the best practice for SSO certificate management involves updating it more than 30 days ahead of the expiration (30 days, being when the alerts started); and, since it progressed to the point of alerting, it can't be undone?  

 

Having reached this point, however, I wonder what I can do to A) get rid of the alert; and (more importantly) B) ensure that the SSO logins continue to work past the (old) certificate expiration date.

Should I disable SSO login completely, then turn it back on with the newer certificate?  Or, should I wait it out for 17 more days, and see what happens?

 

1 ACCEPTED SOLUTION

bootrec
Contributor

Had the same issue and fixed it this morning. For my situation, the old SAML certificate that was set to expire in July was still listed, but marked as inactive. The notification matched the expiry of that certificate.  A new certificate was automatically created with expiry in 2026, set as active. I had to delete the old certificate. In Jamf, I pasted the URL even though it was the same and hit save. I don't know if it was a question of logging out and back in, or closing the browser or re-opening, but the notification went away.

Strongly suggest you have a failover account before mucking around with this. 

View solution in original post

11 REPLIES 11

bootrec
Contributor

Had the same issue and fixed it this morning. For my situation, the old SAML certificate that was set to expire in July was still listed, but marked as inactive. The notification matched the expiry of that certificate.  A new certificate was automatically created with expiry in 2026, set as active. I had to delete the old certificate. In Jamf, I pasted the URL even though it was the same and hit save. I don't know if it was a question of logging out and back in, or closing the browser or re-opening, but the notification went away.

Strongly suggest you have a failover account before mucking around with this. 

Kent_CBD
New Contributor II

Deleting the inactive certificate is one thing I hadn't thought of; and, that seems to have done the trick!

 

FWIW, the alert notification did not immediately go away.  Even after switching between the URL and XML file (and back).  But, while I was staring at the screen trying to figure out the next step, it just disappeared.

Thank you for the idea!

 

auser
New Contributor III

I am having the exact issue. I can see only the current one with the new expiration is active, but i still see a message in JAMF. Any other ideas? 

Kent_CBD
New Contributor II

The alert notification didn't immediately disappear for me; but, I don't think it took longer than 10-20 minutes after I deleted the old cert from Azure.  I don't recall if the JAMF settings were displaying the new cert expiration date while the notification was active or not though.  

vantive
New Contributor III

We deleted the old one weeks ago, and still getting notice (3 days left) I am a little worried that that SSO may stop working then.

Kent_CBD
New Contributor II

(I accidentally posted my reply on the main thread.  Commenting here to make sure you're notified)

Kent_CBD
New Contributor II

With that little time remaining, I would definitely try to involve an official JAMF support person.  Pointing them to this thread might help them narrow down the problem more quickly though.  

 

Other than that, you should make sure that the URL or metadata file in the JAMF SSO page matches your latest info in Azure, and that the old Azure cert is definitely deleted, and not just inactive.  And, if that fails, then Bootrec's comment regarding a failover login URL is very important too.

auser
New Contributor III

I did manage to fix it and the trick was to toggle back and forth between the XML and the URL. This cleared the notification. 

Toggle back and forth between XML and URL???

Can you be more specific, as in 'steps' cause I'm not quite sure I understand what you're saying here.

TheCrusher4Real
New Contributor III

Having a similar issue. Getting a notification in JAMF "Signing certificate issued by SSO identify provider expired."

Assuming this is why I can't install anything from Service Center.

Our main JAMF technician is out for a couple weeks; I have about an hour of experience in JAMF.

Would like to get more details around the following:

1. OP stated "I followed the instructions to "Visit your SSO Identity Provider to update the certificate". Can someone specify where these instructions can be found? I'm not even sure where to look to start trying to troubleshoot/fix this issue.

2. One of the replies stated that they "toggled back and forth between XML and URL". Curious if that can be explained in more detail.

I believe that the "Visit your SSO Identity Provider" prompt was on the screen which was warning about the (soon) expiring certificate.  My certificate is now renewed, so I don't see those exact words anywhere right now.  At any rate, our SSO Identity Provider is MS Azure, and the details for that setting are in the Enterprise Applications section of Azure (Entra).

If you also use Azure, then in the Azure application setting page for Jamf Pro, there is a "Single sign-on" section, which has a series of numbered sections within it.  The section "3" ("SAML Certificates") has both "App Federation Metadata Url" which can be copied, or "Federation Metadata XML" file which can be downloaded.   If you don't user Azure, there is most likely a very similar page on whichever service you have connected.

 

 

Back on the JAMF Settings page, there is the Single Sign-On section.  On the Single Sign-On page, the "Identity Provider Metada Source" (in the "Identity Provider" section) is where you either copy the URL or upload the XML file.  When  "toggling" is mentioned, it is changing the setting of this from XML file to URL or vice versa.