Resolving “Signing Certificate issued by SSO Identity Provider is expiring in 30 days” notifications in Jamf Pro after rotating Entra ID SAML signing certificate
2023-11-4 22:37:11 Author: derflounder.wordpress.com(查看原文) 阅读量:18 收藏

Home > Entra ID, Jamf Pro > Resolving “Signing Certificate issued by SSO Identity Provider is expiring in 30 days” notifications in Jamf Pro after rotating Entra ID SAML signing certificate

Resolving “Signing Certificate issued by SSO Identity Provider is expiring in 30 days” notifications in Jamf Pro after rotating Entra ID SAML signing certificate

I have a Jamf Pro server which is connected to Microsoft’s Entra ID for its directory service. Recently, I received an email from Microsoft letting me know that the SAML signing certificate for the Entra ID app I was using to provide a connection between Jamf Pro and Entra ID was coming up for expiration in about 30 days.

IMG_4134_1 copy

This certificate is used by Entra ID to sign the SAML tokens being issued to the Entra ID app and by default, this certificate is good for three years. For those interested, Microsoft has a KBase article available with more information about this topic:

Tutorial: Manage certificates for federated single sign-on: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tutorial-manage-certificates-for-federated-single-sign-on

The instructions for rotation of this certificate are pretty straightforward and were provided in the email sent to me by Microsoft.

IMG_4135_1 copy

I scheduled the rotation during a planned maintenance downtime and everything appeared fine once the new SAML signing certificate was in place and active.

Screenshot 2023-11-04 at 6.41.27 AM copy

However, when I logged into Jamf Pro following the certificate rotation, I noticed I had a new notification appearing:

Signing Certificate issued by SSO Identity Provider is expiring in 30 days

Since I had just rotated the SAML signing certificate and had verified that the new one (which does not expire in 30 days) was the active one, this message was concerning. After some research, I ran across a Jamf Nation discussion which provided an explanation for the message:

Even though the old SAML signing certificate was now marked as inactive, Jamf Pro was still detecting its presence and reporting (correctly) that it would expire in 30 days.

From there, the solution was straightforward: Delete the inactive SAML signing certificate from Entra ID.

This left only the active SAML signing certificate listed in Entra ID. This certificate has an expiration date greater than 30 days.

Screenshot 2023-11-04 at 7.41.29 AM copy

Once the inactive SAML signing certificate was deleted, Jamf Pro took about twenty minutes to register that fact. After that, the notification message disappeared from Jamf Pro without additional actions needed on my part


文章来源: https://derflounder.wordpress.com/2023/11/04/resolving-signing-certificate-issued-by-sso-identity-provider-is-expiring-in-30-days-notifications-in-jamf-pro-after-rotating-entra-id-saml-signing-certificate/
如有侵权请联系:admin#unsafe.sh