Most Single Sign-On (SSO) certificates will expire and must be renewed at some point. However, Slate references your live metadata from a publicly available URL, so your IT team or SSO manager can update the certificate without assistance from Technolutions. Slate automatically checks the URL every twenty (20) minutes for updates to your metadata, such as a new certificate before the existing one expires.
SSO works based on a trust relationship between:
- An application (the service provider)
- An identity provider
This trust relationship is usually based on a certificate exchanged between the identity provider and the service provider. This certificate is used to sign identity information sent from the identity provider to the service provider to know it is coming from a trusted source. The certificate used must match your SAML response.
If your Identity Provider (IdP) can include multiple active certificates in the metadata, as most can, you can add your new certificate before the existing certificate expires. This ensures that Slate has access to the necessary certificates when the switch is made by the identity provider. If there are no changes to your entity ID or attribute (for user ID), there will be no need for a manual update/intervention from Technolutions.