Pivotal Knowledge Base


PCF Advisory - SAML Service Provider Credential Certificates Expire After 2 Years


  • Pivotal Elastic Runtime Version 1.9 and above
  • Pivotal Cloud Foundry (PCF)


Elastic Runtime UAA service holds a certificate which signs outbound communication to external SAML Identity Provider. This certificate has a 2 year expiration period and requires regeneration after this time.

This certificate is used to sign SAML authentication request sent to Identity Provider - it is sent for extra security and impact of rotated certificate will depend on validation of IdP


SAML Service Provider Credentials should only have an impact if the answer is all 'yes' to these questions:

  1. Are you using SSO in production for apps?
  2. If yes, are you using SAML Identity Providers for SSO service plans?
  3. If yes, did you have Ops Manager generate a certificate for you? (this is done by using the Generate RSA Certificate button in Ops Manager)
  4. If yes, are you validating the signature of SAML authentication request on the Identity provider side?


Validate expiration time of certificate:

For Elastic Runtime >= 1.11.x, navigate to:
Elastic Runtime > UAA > SAML Service Provider Credentials


For Elastic Runtime <= 1.10.x, navigate to:
Elastic Runtime > Authentication & SSO > Service Provider Credentials 


Copy the contents of the certificate into a temporary file. (for example test.pem)

Execute the following command to validate the expiration time on the certificate.

# openssl x509 -enddate -noout -in test.pem
notAfter=Dec  7 21:01:04 2017 GMT

Alternatively, you can follow steps to check by OpsManager API in article: https://discuss.pivotal.io/hc/en-us/articles/115015525088-PCF-Advisory-Internal-certificates-expire-2-years-after-installation

$ curl "https://OPS-MAN-FQDN/api/v0/deployed/certificates?expires_within=6m" \
-H "Authorization: Bearer YOUR-UAA-ACCESS-TOKEN"

Find the certificate with property uaa.service_provider_key_credentials and validate expiration:

"field "property_reference":".uaa.service_provider_key_credentials"..."valid_until":"2019-06-14T11:37:11Z"

Rotating SAML Service Provider Credential certificate

If the certificate is nearing expiration then it needs to be regenerated.

This will only be disruptive if Elastic Runtime is configured to use SSO / SAML and IdP is validating the requests, in which case new certificate will need to import to the IDP.

Perform the following steps:

  1. Arrange for IdP admin to be available before certificate expiration occurs.
  2. Disable cert validation on IdP end.
  3. Generate new certificate on production by clicking `generate` option under SAML Service Provider Credential:
  4. Import the new certification to your IdP:
    https://docs.pivotal.io/pivotalcf/1-12/opsguide/auth-sso.html#configure-saml-for-pcfThese step will vary depending on which SAML provider that you are using:
    If using ADFS, see: https://docs.pivotal.io/p-identity/1-3/adfs/config-adfs.html
    If using CA SSO, see: https://docs.pivotal.io/p-identity/1-3/ca-sso/config-ca-sso.html
    If using OKTA, see: https://docs.pivotal.io/p-identity/1-3/okta/config-okta.html
    If using PingFederate, see: https://docs.pivotal.io/p-identity/1-3/pingfederate/config-pingfederate.html
  5. Re-enable certification validation on IdP.
  6. Validate system functionality

Additional Information

Guide to importing certificates to SSO provider, https://docs.pivotal.io/pivotalcf/1-12/opsguide/auth-sso.html#configure-saml-for-pcf

Reference to using OpsManager API, https://docs.pivotal.io/pivotalcf/1-10/customizing/ops-man-api.html

Reference guide on rotating and regenerating certs in PCF https://docs.pivotal.io/pivotalcf/1-12/security/pcf-infrastructure/api-cert-rotation.html


Powered by Zendesk