Check out certificate expiration FAQ
1. What is a SAML signing and encryption certificate?
OpenAthens uses a protocol called SAML to make secure access to resources easier with single sign-on (SSO). SAML (Security Assertion Markup Language) is a widely-used standard that lets one service, called an identity provider (IdP), verify your login details (authenticate you). Once you're authenticated the identity provider sends a secure key to another application, known as a service provider (SP) so it knows you are who you say you are, it can then determine if you are authorised to access it. As you have authenticated to your IdP you will not need to login again to access other resources for the duration of your session, this is single sign on.
SAML signing and encryption certificates help to make sure that your login process is secure when using SAML authentication. While the signing certificate verifies that the message really comes from the right sender and hasn’t been altered, the encryption certificate makes sure that the message is protected and no one can read it, keeping it safe and private.
Signing and encryption certificates are included in a SAML entity’s metadata. SAML applications rely on these certificates to verify the authenticity and integrity of messages exchanged between the Identity Provider (IdP) and the Service Provider (SP). We use the same certificate for signing and encryption but be aware that certificate exists multiple times in our metadata with copies for signing and encryption.
2. What is going to happen with the certificate?
OpenAthens' certificates have a ten-year lifetime and we have now almost reached the end of that life time for the current certificate, therefore we will be updating our existing signing and encryption certificate at 3 February 2025 12:00 UTC.
Customers should ensure that all copies of our certificate that they are using are updated at 3 February 2025 12:00 UTC to maintain access to the resources. If a certificate expires without being updated, any information that is encrypted or signed will become unreadable or untrustworthy. This may cause a disruption, breaking the connection between the identity provider (IdP) and the service provider (SP) and resulting in a loss of access to the resources.
3. Where can I find the certificate?
The location of the certificates varies for each customer. Typically, your IT team can provide the necessary details. If you have trouble finding it, please contact us at help@openathens.net.
4. How can I identify the certificate that needs to be updated?
The current OpenAthens certificate that needs replacement by February 2025 is:
Serial Number: 54 ec 42 22
Issued On: Tue Feb 24 2015 09:20:06 GMT+0000 (Greenwich Mean Time)
Expires On: Mon Feb 24 2025 09:20:06 GMT+0000 (Greenwich Mean Time)
SHA-256 Fingerprint: 32 9d 94 4c 88 db 14 98 4d b2 91 78 df ad 3b 39 da 80 01 1a 75 50 2a 80 d5 69 9b 57 7c 9b b2 aa
SHA-1 Fingerprint: 0e ae 65 d2 77 e2 63 b7 17 be 07 1a 5d 85 25 75 21 29 da 8d
5. I have checked the certificate expiration date, and it is updated, do I need to do anything else?
This depends on your configuration, if you are configurated to check or sign requests or responses, then you will also need to update the signing certificate at 12:00 UTC on 3 February 2025. The new certificate has the following properties:
Not Before: Apr 9 13:15:36 2024 UTC
Not After : Apr 9 13:15:36 2034 UTC
Serial number: 33e64f9cd5aef2c20b113d3cf08a36c34d80e715
SHA1 Fingerprint: A9:91:F3:84:45:47:1C:67:7C:2B:0A:DC:63:83:25:3B:45:3C:47:26
SHA256 Fingerprint: 4A:7A:87:11:E6:CC:DD:28:B0:DD:5F:70:F9:9D:1E:0B:33:EB:D0:F8:59:AB:B3:95:91:EA:63:32:AB:5A:3F:35
If the new certificate is already in use and everything’s working fine, then you don’t need to do anything. This is usually because the software you're using has an automated system that regularly updates the certificate and might automatically switch to the new one.
6. The certificate has not been updated. How do I update it?
You will need to update to the new certificate and make sure it is in place by 3rd February 2025 to prevent any disruption to resource access. If your system allows you to use multiple certificates, you can have both the new and old certificates in place without any issues. However, you shouldn’t remove the old certificate until you receive notification from the OpenAthens team that it is safe to do so. If your system only supports one certificate at a time, then you will need to update the certificate at 12:00 UTC the 3rd of February.
There are three situations where the certificate expiration might impact you, depending on which of the following situations apply:
a. You are using a local directory integration to provide access to your users
Some connector interfaces do not use certificates, or we know that they will automatically update (e.g. LDAP, Azure/Entra). We only contacted customers whose LDI may require updating.
If your LDI uses SAML, the metadata will update automatically in some cases. In other cases, you will have to refresh the metadata manually. Please review the documentation about updating metadata or relying party certificates for SAML local connectors for more information.
We encourage you to pass this information to your technical team to ensure they are aware of the forthcoming certificate expiry and assist in making a decision. If necessary, they can also raise a ticket with us for further support.
b. You have custom SAML 1:1 (Bilateral / Peer-to-Peer) resources in your catalogue
If you have custom SAML resources (or 1:1 connections) in your catalogue, the Service Provider or publisher (SP) will need to update your OpenAthens IdP metadata and/or certificate. In some cases, you may be able to update the resource yourself through an interface on the publisher’s website. In others, you may need to contact someone else or get in touch with the service provider or publisher to ask them to update the certificate.
OpenAthens will be contacting the most popular resource providers (see question 8), but for some of the less common resources, you may have to contact the Service Provider directly and ask them to update your metadata.
Please review the documentation updating the certificate used by custom SAML resources for more information.
c. You are a Service Provider or publisher (SP)
If you use Keystone, you won’t need to take any action, as this process will happen automatically.
If you are not using Keystone but are regularly updating the metadata and can support two certificates at once, then you don’t need to do anything. Otherwise, you’ll just need to refresh your metadata cache or re-load it, depending on the configurations you have. Please review the documentation about updating signing certificates for OpenAthens IdPs for more information.
We encourage you to share this information with your technical team, so they are aware of the event and can help make the right decision. If needed, they can also reach out to us by submitting a ticket for additional support.
7. How do I find my OpenAthens IdP metadata?
In case you need to provide the custom resource publisher with your OpenAthens IdP metadata, you can normally find it at
https://login.openathens.net/saml/2/metadata-IdP/[customer’s domain].
Please review the documentation about how to access your login.openathens.net metadata for more information. You can contact us at help@openathens.net if you have any problems obtaining the metadata URL.
8. I have custom SAML resources. Do I need to contact all of the providers?
At OpenAthens, we are going to contact the SPs of the most common custom SAML resources to let them know about the certificate expiration. Please review the list of most common custom SAML resources.
You will have to review the list of resources in your catalogue flagged as “SAML” and contact any service providers that don’t appear in the list.
Note: You do not need to do anything with resources marked as "custom".
9. Will the certificate expiration affect Lightweight Directory Access Protocol (LDAP) connections?
No, LDAP connections will remain unaffected.
10. I am a member of the UK Access Management Federation and/or InCommon Federation. Do I need to do anything?
If you are part of the UK Access Management Federation and/or InCommon Federation, you will receive an email with further information on how to proceed.
11. What should I do if I need help or have an issue that it isn’t covered in the FAQ?
If you can’t find the answer to your question here or if you’re experiencing an issue, don’t worry—our support team is here to help! Please feel free to reach out to us by raising a ticket through our support portal or send us a direct email to help@openathens.net.