What is a SAML Signing Certificate?
SAML signing certificates are essentially SSL certificates that ensure messages come from the expected identity and service providers. SAML certificates authenticate and secure SAML requests, responses, and assertions between software systems. SAML and SSL Certs have been used extensively for over 25 years, and routines to manage expirations and updates have long been established. Like SSL certificates, SAML signing certificates have an expiration date and must be renewed, typically every year.
Why even bring this up if it’s so routine?
In the past, if transitions to new SAML Signing Certs resulted in websites being briefly unavailable, people just went along with these short outages. Today, however, as the world increasingly relies on web systems, even brief outages are becoming unacceptable. The good news is that Cert transitions, and the people who manage them, have become more sophisticated. At ClassLink, we manage our Cert transitions with planning and care to eliminate any outage.
How will it affect ClassLink customers?
There will be no impact on signing in to ClassLink, and there should be minimal or no effect on SAML-based single sign-on's during and after the SAML Cert transition. Many vendors will automatically accept the new SAML certificate, and a few will require manual intervention by the vendor.
How will it affect ClassLink vendor partners?
Vendor partners that leverage SAML single sign-on rely on ClassLink’s Cert to ensure authenticity and security between their servers and ClassLink servers. Based on our testing, we have found the following:
- Most vendor partner applications will automatically accept our new SAML certificate with no additional action.
- Some vendor partner applications will not automatically accept our new SAML certificate, they may be hard-coded to look for the current one soon to expire, and so work is required. Depending on how their systems are designed, the work may be trivial or involve some effort.
What will happen if a vendor partner does not automatically, or through additional work, accept ClassLink’s new SAML Cert?
SAML-based single sign-on links to a vendor will not work if that vendor does not automatically, or through additional work, accept ClassLink’s new SAML Cert. Again, Cert transitions are not new, and any issues are eventually resolved through helpdesk phone calls and such. With today’s increased performance expectations from web systems, ClassLink is always working towards eliminating any outages. We are being proactive in testing and identifying all potential causes of downtime, even brief or isolated ones.
What should I do?
We have informed vendors of our upcoming SAML Certificate update that will take place on Tuesday, July, 26, 2022 - 1am EST (GMT-4). However, if your application is not working after this date, please do the following if you are a:
- ClassLink Customer: Contact your vendor to inform/remind them to refresh the ClassLink metadata.
- Vendor: Refresh the ClassLink metadata for your application.
Please contact us if you have questions at firstname.lastname@example.org with the subject “SAML Cert Update”.
We wish you and your team a healthy and successful upcoming school year.