What is a SAML Signing Certificate?
SAML signing certificates are essentially SSL certs and they ensure that messages are coming from the expected identity and service providers. SAML certificates are used to authenticate and secure SAML requests, responses, and assertions between software systems. SAML and SSL Certs have been used extensively for over 25 years and routines to manage expirations and updates have long been established. Just like SSL certificates, SAML signing certificates have an expiration date and must be renewed typically every year.
Why even bring this up if it’s so routine?
In the past, if transitions to new SAML Signing Certs resulted in websites being briefly unavailable, people just went along with these short outages. Today however, as the world increasingly relies on web systems, even brief outages are becoming unacceptable. The good news is that Cert transitions, and the people who manage them, have become more sophisticated. At ClassLink we manage our Cert transitions with planning and care to eliminate any outage.
How will it affect ClassLink customers?
There will be no impact on signing into ClassLink, and there should be minimal or no impact on SAML based single sign-on’s, during and after the SAML Cert transition. Many vendors will automatically accept the new SAML certificate and a few will require manual intervention by the vendor.
How will it affect ClassLink vendor partners?
Vendor partners that leverage SAML single sign-on rely on ClassLink’s Cert to ensure authenticity and security between their servers and ClassLink servers. Based on our testing we have found the following:
- The majority of vendor partner applications will automatically accept our new SAML certificate with no additional action.
- Some vendor partner applications will not automatically accept our new SAML certificate, they may be hard-coded to look for the current one soon to expire, and so work is required. Depending on how their systems are designed, the work may be trivial or may involve some effort.
What will happen if a vendor partner does not automatically, or through additional work, accept ClassLink’s new SAML Cert?
SAML based single sign-on links to a vendor will not work if that vendor does not automatically, or through additional work, accept ClassLink’s new SAML Cert. Again, Cert transitions are not new and any issues always end up being eventually resolved through helpdesk phone calls and such. With today’s increased performance expectations from web systems, ClassLink is always working towards eliminating any outages. We are being proactive in testing and identifying all potential causes of downtime, even brief or isolated ones.
What should I do?
We have informed vendors of our upcoming SAML Certificate update that will take place on Saturday, September 19, 2020 at 1AM Eastern (GMT-4), however, if your application is not working after this date, please do the following if you are a:
- ClassLink Customer: Contact your vendor to inform/remind them to refresh the ClassLink metadata.
- Vendor: Refresh the ClassLink metadata for your application.
Please contact us if you have questions at firstname.lastname@example.org with the subject “SAML Cert Update”.
We wish you and your team a healthy and successful school year.