You rotate SAML service provider (SP) credentials in your VMware Tanzu Operations Manager deployment.
SAML SP credentials are one example of configurable certificates in VMware Tanzu Application Service for VMs (TAS for VMs). When TAS for VMs is configured to use SAML as an IDP, it uses a configurable certificate authority (CA) certificate to authenticate to an external SAML server. The CA generates ephemeral certificates that TAS for VMs includes in its outbound request message headers. This CA has a two-year expiration period.
In addition, the Single Sign-On for VMware Tanzu service shares the use of TAS for VMs SAML certificates for every SAML external IDP integration, such as trust, partnership, or federation. You must rotate these in lockstep with TAS for VMs. For more information about Single Sign-On for VMware Tanzu, see the Single Sign-On for VMware Tanzu documentation.
This topic also provides an example of how to rotate certificates for each IDP, including temporarily deactivating certificate validation on the IDP side during the rotation.
For more information about rotating SAML certificates in Tanzu Operations Manager, see Checking and Rotating Tanzu Operations Manager SAML Certificate before it expires.
SAML SP credentials are only required for your TAS for VMs deployment if all of these conditions are met:
You are using Single Sign-On for VMware Tanzu in production for log in to TAS for VMs or using the Single Sign-On for VMware Tanzu service for login to apps.
You are using SAML IDPs for TAS for VMs or Single Sign-On for VMware Tanzu service plans.
You had Tanzu Operations Manager generate a certificate for you by clicking the Generate RSA Certificate button.
You are validating the signature of SAML authentication request with your IDP.
To regenerate and rotate SAML SP certificates without disrupting TAS for VMs or your apps using the Single Sign-On for VMware Tanzu service:
Deactivate certificate validation in your IDP.
For TAS for VMs, follow the procedure in the following table that corresponds to your use case. This includes downloading and importing a new certificate and updated SAML metadata in your IDP.
For the Single Sign-On for VMware Tanzu service, follow the procedure in the following table that corresponds to your use case. This includes downloading the SAML SP metadata for each SAML IDP integration. For example, trust, partnership, or federation, and importing the updated SAML SP metadata in your IDP.
Solution Name | Procedure |
---|---|
AD FS | Configuring a Single Sign-On for VMware Tanzu Service Provider |
CA Single Sign-On for VMware Tanzu | Configuring a Single Sign-On for VMware Tanzu Service Provider |
Okta | Configure Okta as an Identity Provider |
PingFederate | Configure PingFederate as an Identity Provider |
Additional Documentation | Integration Guides |
Re-enable certificate validation in your IDP.