Updating SAML Certificates

SSO/SAML Certificate expire after a couple of years. Below describes the new process for updating the cert used by the Web app.

The certificate is used when the web app attempts to create a connection (login/forgot) to the Access-Boston via SAML. This takes place in the function below:

samlAuth = await makeSamlAuth(
{
  metadataPath: './saml-metadata.xml', // Enter new CERTIFICATE in this file
  serviceProviderCertPath: './service-provider.crt',
  serviceProviderKeyPath: './service-provider.key',
},

The files that need to be updated are stored in AWS S3 buckets at:

TEST

cob-digital-apps-staging-config/access-boston/test/saml-metadata.xml
cob-digital-apps-staging-config/access-boston/test/saml-forgot-metadata.xml

DEV

cob-digital-apps-staging-config/access-boston/dev/saml-metadata.xml
cob-digital-apps-staging-config/access-boston/dev/saml-forgot-metadata.xml

PROD

cob-digital-apps-prod-config/access-boston/test/saml-metadata.xml
cob-digital-apps-prod-config/access-boston/test/saml-forgot-metadata.xml

Copy the Certificate RSA Key and paste it into the <ds:X509Certificate> node in the saml-metadata.xml and saml-forgot-metadata.xml files.

After this is done restart the AWS ECS container task for the Access-Boston service (PROD, TEST or DEV). Immediately after the SECURITY Team should swap out the certificate used by that service. Making this change will lead to a few minutes of down time for the service so it should be done with coordination with the Security team and logged in a Change Order request.

PreviousOwnership of Concerns NextSanitation Scheduling

Last updated 6 months ago