Managing the Imprivata IdP Certificate for WebSSO

SAML certificates are used to confirm the authenticity and integrity of messages exchanged between Service Providers/SPs (web applications) and the Identity Provider/IdP (Imprivata Web SSO).

These certificates are included within the SAML metadata files exchanged between the IdP and SP during initial WebSSO setup.

After either certificate expires, your end users will not be able to log into SP applications you have enabled for Imprivata Web SSO. After you replace the expired certificate, access with Imprivata Web SSO will be restored.

If an SP certificate is expiring, see Managing SP Certificates for Web SSO.

IdP Certificate Expiring

The IdP certificate expires two years after it is enabled. You will receive an alert on the Imprivata Admin Console beginning 60 days before it expires. The alert includes the date of expiry, and lists all SPs that use the IdP certificate.

An email notification is also sent to the administrator 60 days and 30 days before the IdP certificate expires, and every day of the last week before it expires.

You can only replace the IdP certificate within 60 days of the expiration date.

In the Imprivata Admin Console, click on the alert to view the web app(s) that use the expiring IdP certificate, and update the certificate for each web app by reconfiguring the IdP metadata.

As the web application is updated, simultaneously start using the new IdP certificate.

Provide IdP Certificate to the Web Application

  1. On the Imprivata Admin Console, go to Applications > Single sign-on application profiles.

  2. Click Edit Profile for the SAML application.

  3. Under Identity provider (IdP) metadata, click View and copy your Imprivata enterprise (IdP) SAML metadata.

  4. Download the IdP certificate or copy the metadata URL, depending on how your SP consumes the metadata. Refer to the Imprivata Help topic for the web app for details.

  5. Upload the new IdP certificate to the Service Provider manually or via the metadata.

Start Using New IdP Certificate

  1. In the Imprivata Admin Console, go to Applications > Single sign-on application profiles.

  2. Click Edit Profile for the SAML application.

  3. Under Identity provider (IdP) metadata, click Start using new IdP certificate.

    Imprivata can now use the new IdP certificate for SAML assertions with this web application.

  4. Return to the Imprivata Admin Console. The alert should no longer be displayed.

NOTE:

Because more than one SP uses the IdP certificate, the expiring certificate is still valid after the new certificate is generated. This provides a grace period to transition all SPs to the new certificate and keeps the old IdP certificate valid until its expiration date.