Some quick answers to certificate-related questions we've received in the past month.
Spring has sprung, even here in Canada, and it's a time of growth and renewal. One of the most popular spring activities around here is the renewal of the certificates that affect clients' digital workplaces. It happens every year or so, and can catch people by surprise. Here are a few questions we handled in the latest set of renewals.
There are two kinds of certificates that affect your Igloo. A certificate for single-sign on authentication (SAML), that lets your members log in, and a certificate for encryption (SSL), that keeps your site's traffic secured over SSL. They operate independently and on entirely different schedules, and could even require different people in your organization to handle, depending on your structure.
What happens if they aren't renewed?
If your digital workplace uses single sign on, one of the things it depends on is every member passing a matching certificate when they log in. That lets the Igloo platform know to only log in your people, and no one else. The Public Key field in your SAML settings needs to match the certificate value in your Identity Provider. If they don't match, no one will be able to log in through single sign on.
If your SSL certificate isn't renewed, the site will be flagged in browsers as being pointed to an invalid certificate. What happens from there depends on what browser you're using, but it could flash a security warning and let you proceed, or block access to your site entirely.
How do I renew my SAML certificate?
ADFS and Azure implementations are the most common identity providers that need renewal. They typically have a certificate rollover period of several years, so they'll refresh the certificate value and it won't match, causing login issues. The solution: match them up again.
First, obtain the new certificate value, either directly from your identity provider or by finding it in the <ds:X509Certificate> field of a SAML trace. With the new value in hand, any Administrator can log in to your digital workplace using their Igloo credentials at https://[yourcommunityurl]/?signin. Navigate to the Sign In Settings area of the Control Panel, and enter the new certificate value in the Public Key field. Save the changes at the bottom of the page, and they'll immediately take effect, and let people log in once again.
How do I renew my SSL certificate?
Good news, we do it for you. If you have a free Igloo with an igloocommunities.com domain, it's handled under our web properties. If you've branded your domain, the process includes mapping to an Igloo-held certificate so we can take care of that renewal before it ever becomes an issue.
The exceptions to that are digital workplaces that use a private DNS or a local map to restrict access. This comes up with clients who only want their Igloo to be accessible from their office network, for example. In cases like this, our IT team can't verify the certificate automatically, so we'll reach out before the certificate needs renewal.
On the whole, certificate renewals can be a nailbiting process, but we want to work with you to make it as easy and worry-free as possible.
As always, if you have questions about the Igloo platform, workflows, or best practices, you can leave a comment here, or ask a question in the Community area.