Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Managing Certificates for SAML Authentication

    If you are working with Primo VE and not Primo, see SAML-Based Single Sign-On/Sign-Off.

    Return to menu

    Introduction

    The Certificate Manager allows you to create (see Creating a New Certificate) or replace (see Replacing a Certificate) a certificate for SAML authentication. A certificate may need to be replaced for security measures or when a certificate is near expiration. The replacement of a certificate is recommended every two to three years.

    • After you have installed the metadata on the IDP, users will not be able to log on to the Front End UI until the new certificate has been activated in the Primo login profile.

    • When activating a new certificate, all SAML profiles associated with your institution are affected. This means that the metadata file must be installed on all IDPs associated with those SAML profiles before the new certificate is activated.

    Creating a New Certificate

    Use this procedure to create a new certificate.

    To create a SAML certificate:
    1. On the User Authentication Wizard page (Primo Home > Ongoing Configuration Wizards > User Authentication Wizard), make sure that your institution appears in the Owner field.

      Owner_Verification.png

      Verify Owner Field on Login Profiles Page
    2. In the list of profiles, click Certificate next to the SAML profile.

      LoginProfilesList.png

      Login Profiles List
    3. From the Certificate drop-down list, select a certificate. You can choose a certificate based on its expiration date and whether it is self-signed.

      CertMng_New.png

      Select Certificate
    4. Click Save.

    5. Create a file that contains information about Primo as the service provider:

      1. Click Download Metadata to get a local copy of the metadata file. If you have configured additional SAML profiles to support additional IDPs, you must perform this operation for each of the profiles..

        DownloadMetadataNew.png

        Download Metadata Button
      2. Depending the browser you are using, a dialog box may appear. Save the file to your machine.

        Save File Dialog Box
      3. Send the file to your Authentication Manager.

    6. On the IDP, create a backup file for the old metadata file. If you support multiple IDPs for SAML, perform this operation on each of them.

    7. On the IDP, upload and install the new metadata file. If you support multiple IDPs for SAML, make sure that you install the appropriate metadata file on each IDP.

      After the metadata file has been replaced, end users will not be able to log on to the Front End UI until the new metadata file has been activated in the Primo Back Office.

    8. Repeat steps 1 through 2 to re-edit the certificate for your login profile.

      If you decide not to activate the new metadata file, click Delete New Metadata and re-install the backup copy of the old metadata file on the IDP.

    9. Click Activate Metadata to activate the new certificate. If you have configured more than one SAML profile, it is only necessary to perform this operation on one of the profiles.

      ActivateNewCertificateNew.png

      Activate Metadata Button
    10. Click OK to continue with the activation.

      ActivateNewCertNEWDialog.png

      Continue Activation Prompt
    11. Verify that users can log on to the Front End UI.

    Replacing a Certificate

    Use this procedure to replace an existing or expired SAML certificate.

    To replace a SAML certificate:
    1. On the User Authentication Wizard page (Primo Home > Ongoing Configuration Wizards > User Authentication Wizard), make sure that your institution appears in the Owner field.

      CheckInstLoginProfiles.png

      Verify Owner Field on Login Profiles Page
    2. In the list of profiles, click Certificate next to the SAML profile.

      LoginProfilesActiveCertButton.png

      Login Profiles List
    3. Click OK to continue.

      EditingSelectedProfile.png

      Continue to Certificate Manager
    4. From the Certificate drop-down list, select a certificate. You can choose a certificate based on its expiration date and whether it is self-signed.

      SelectCertExisting.png

      Select Certificate
    5. Click Save.

    6. Create a file that contains information about Primo as the service provider:

      1. Click Download Metadata next to the New Certificate field to get a local copy of the metadata file. If you have configured additional SAML profiles to support additional IDPs, you must perform this operation for each of the profiles..

        ReplacementCertificateDownload.png

        Download Metadata Button
      2. Depending the browser you are using, a dialog box may appear. Save the file to your machine.

        Save File Dialog Box
      3. If you have configured the AUTH_BASE_URL field in your login profile, edit the file and replace the URLs shown in bold below with the contents of the AUTH_BASE_URL field.

        <?xml version="1.0" encoding="UTF-8"?>
        <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="787e867e7d6b404f842faf5bbf5006aa" entityID="https://s.com/primo_library/libweb/VOLCANO">  
        <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">  
        <md:KeyDescriptor>  
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">  
        <ds:X509Data>  
        <ds:X509Certificate>MIIFKDCCBBCgAwIBAgIQDNKHcxHQe79LJSYe7bWJZzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQG
        EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5EaWdpQ2VydCBTSEEyIFNlY3Vy
        ZSBTZXJ2ZXIgQ0EwHhcNMTYwNzI1MDAwMDAwWhcNMTkxMDAyMTIwMDAwWjByMQswCQYDVQQGEwJV
        UzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xHTAbBgNVBAoTFEVYIExJQlJJ
        UyAoVVNBKSBJTkMuMR8wHQYDVQQDExZzYW1sLmV4bGlicmlzZ3JvdXAuY29tMIIBIjANBgkqhkiG
        9w0BAQEFAAOCAQ8AMIIBCgKCAQEArdprVYNVUndGUkf3HvrQQl58Xom46MNKnPKH0xzJz9f6VF0x
        md/cZ+Kq3COOKbabKEKwfVvFwCrbQjbkr3JuvRcu7g4QBqizgRv+rbovR5xDZIcJKTX+truHJp6h
        PYInf5uJFwDaHUZDktO7rI4MJIsdrOTAy2TWpDNOfYmTHI2pc4W84P31uiZtyx7nkzKou4fDBn40
        uW1XBb3f9NKq1TClYFCeh7CigLW3m+7HZbDpb+7Q5DMqNx8i/6yzxUBeB387i7PV3hCBFei3KPrG
        PPqyHTxgejYZrbKI4hIdbaITCAKykOplRmMlbzs/vCWHYlOHLt9AJGVqR2hmYV7xvwIDAQABo4IB
        3TCCAdkwHwYDVR0jBBgwFoAUD4BhHIIxYdUvKOeNRji0LOHG2eIwHQYDVR0OBBYEFM5UM4K1H5P8
        2L2qrnZsBH2Ttny4MCEGA1UdEQQaMBiCFnNhbWwuZXhsaWJyaXNncm91cC5jb20wDgYDVR0PAQH/
        BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilo
        dHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc1LmNybDAvoC2gK4YpaHR0cDovL2Ny
        bDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNS5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEw
        KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwfAYI
        KwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYB
        BQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2
        ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEADHHA7rOMK4kgzm89gElB
        tVTYN4VYdNOpMc0DBG9eWTeVV85l4DShUD2rgbvoDjsMCLryuvxXnxcWk5gKRNHtDfHH8S3McGwN
        vIuLJhHzb5K2VvyZbDs53Gep3b7k805Gx9VsbdgU5zTZlDD+PexrsHCwjyW2I/YlhnRC5avvV+AT
        gv5WQZKnV7l7xNWS2UqckorYdEGecbvohCkUFlfid5t5QBBN1QpuY2oge5Oxc8HncnY7DMk3Bx0j
        Dg41TLzXFX4SEYx6G7MlhvoJIfl0k0o8TTO8w+SowpvVpbkx1iGXR9h0RuO+BhDrOjcj5iwQ1/U7
        WvHKUsSzDOVAB0dDSw==</ds:X509Certificate>  
        </ds:X509Data>  
        </ds:KeyInfo>  
        </md:KeyDescriptor>  
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://s.com/primo_library/libweb/samlLogout"/>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>  
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://s.com/primo_library/libweb/samlLogin" index="0" isDefault="true"/>
        </md:SPSSODescriptor>  
        </md:EntityDescriptor>
         
        Example Primo Metadata File
      4. Send the file to your Authentication Manager.

    7. On the IDP, create a backup file for the old metadata file. If you support multiple IDPs for SAML, perform this operation on each of them.

    8. On the IDP, upload and install the new metadata file. If you support multiple IDPs for SAML, make sure that you install the appropriate metadata file on each IDP.

      After the metadata file has been replaced, end users will not be able to log on to the Front End UI until the new metadata file has been activated in the Primo Back Office.

    9. Repeat steps 1 through 2 to re-edit the certificate for your login profile.

      If you decide not to activate the new metadata file, click Delete New Metadata and re-install the backup copy of the old metadata file on the IDP.

    10. Click Activate Metadata next to the New Certificate field to activate the new certificate. If you have configured more than one SAML profile, it is only necessary to perform this operation on one of the profiles.

      ReplacementCertificateActivate.png

      Activate Metadata Button
    11. Click OK to continue with the activation.

      ActivateNewCertNEWDialog.png

      Continue Activation Prompt
    12. Verify that users can log on to the Front End UI.

    • Was this article helpful?