You rotate SAML service provider (SP) credentials in your VMware Tanzu Operations Manager deployment.

SAML SP credentials are one example of configurable certificates in VMware Tanzu Application Service for VMs (TAS for VMs). When TAS for VMs is configured to use SAML as an IDP, it uses a configurable certificate authority (CA) certificate to authenticate to an external SAML server. The CA generates ephemeral certificates that TAS for VMs includes in its outbound request message headers. This CA has a two-year expiration period.

In addition, the Single Sign-On for VMware Tanzu service shares the use of TAS for VMs SAML certificates for every SAML external IDP integration, such as trust, partnership, or federation. You must rotate these in lockstep with TAS for VMs. For more information about Single Sign-On for VMware Tanzu, see the Single Sign-On for VMware Tanzu documentation.

This topic also provides an example of how to rotate certificates for each IDP, including temporarily deactivating certificate validation on the IDP side during the rotation.

For more information about rotating SAML certificates in Tanzu Operations Manager, see Checking and Rotating Tanzu Operations Manager SAML Certificate before it expires.

Prerequisites

SAML SP credentials are only required for your TAS for VMs deployment if all of these conditions are met:

  • You are using Single Sign-On for VMware Tanzu in production for log in to TAS for VMs or using the Single Sign-On for VMware Tanzu service for login to apps.

  • You are using SAML IDPs for TAS for VMs or Single Sign-On for VMware Tanzu service plans.

  • You had Tanzu Operations Manager generate a certificate for you by clicking the Generate RSA Certificate button.

  • You are validating the signature of SAML authentication request with your IDP.

Rotate SAML certificates

To regenerate and rotate SAML SP certificates without disrupting TAS for VMs or your apps using the Single Sign-On for VMware Tanzu service:

  1. Deactivate certificate validation in your IDP.

  2. For TAS for VMs, follow the procedure in the following table that corresponds to your use case. This includes downloading and importing a new certificate and updated SAML metadata in your IDP.

    Solution Name Procedure
    CA Single Sign-On aka CA SiteMinder Configuring CA as an Identity Provider
    PingFederate Configuring PingFederate as an Identity Provider
    Active Directory Federation Services (AD FS) Configuring AD FS as an Identity Provider

  3. For the Single Sign-On for VMware Tanzu service, follow the procedure in the following table that corresponds to your use case. This includes downloading the SAML SP metadata for each SAML IDP integration. For example, trust, partnership, or federation, and importing the updated SAML SP metadata in your IDP.

    Solution Name Procedure
    AD FS Configuring a Single Sign-On for VMware Tanzu Service Provider
    CA Single Sign-On for VMware Tanzu Configuring a Single Sign-On for VMware Tanzu Service Provider
    Okta Configure Okta as an Identity Provider
    PingFederate Configure PingFederate as an Identity Provider
    Additional Documentation Integration Guides

  4. Re-enable certificate validation in your IDP.

check-circle-line exclamation-circle-line close-line
Scroll to top icon