Target
Customers who have contracted HENNGE Access Control and are using legacy SAML signing certificates to integrate with other services.
Details
We will guide you through the preparation details for updating the SAML signing certificates in HENNGE Access Control.
Precautions
1. The content of this article is based on the product specifications as of August 2024 and may be subject to change without notice.
2. Administrator privileges for HENNGE Access Control are required to verify the actual screen and make settings changes.
3. Please refer to the following article for accessing the administration screen.
Accessing HENNGE Access Control admin console (Modern View)
4. This procedure requires updates to be performed simultaneously on both HENNGE Access Control and the target linked service side.
5. During the implementation of this procedure, there will be a temporary period when single sign-on from HENNGE Access Control to the target linked service will not be possible. Therefore, please consider the timing of the procedure in advance.
6. Once the update work has been performed, it cannot be undone.
Detailed Information
① Check if SAML signing certificates need to be updated
For this SAML signing certificate update, some settings may only be relevant to certain customers.
Please follow the steps below to check whether your settings need to be updated.
<Confirmation Procedure>
[April 3, 2024, Update]
Due to an update to HENNGE Access Control, services that require updating the SAML signing certificates will now display an icon saying [Signing key update required] as shown in the image below.
Additionally, clicking on the settings with this icon will display a banner at the top of the screen as shown in the image below.
We hope this will help you in confirming the settings that require updating the SAML signing certificates.
Click on [Connected Services] in the HENNGE Access Control administration screen, and then click on each setting where [TYPE] is [SAML SSO].
The settings where the [Signing Key] item is displayed as [2048-bits (legacy)] or [1024-bits (legacy)] in the following image are subject to the update.
※ Services with [Custom Key] do not require a SAML signing certificate update.
※ For settings that are subject to the update but are not currently in use or are not planned to be used in the future, please delete the settings.
② Confirm how to change settings on the service side
Each linked service can generally be classified into the following three patterns.
After confirming which settings are subject to the update, check which pattern the target service provider falls into,
and then consider the date and time for updating the SAML signing certificates for each service.
Pattern A: Manageable from the administration screen
Pattern B: Changes need to be made by the service provider, and specifying the date and time of work is possible
Pattern C: Changes need to be made by the service provider, and specifying the date and time of work is not possible
Please note that updating the SAML signing certificates this time requires updates on both the HENNGE Access Control side and the linked service provider side.
Therefore, first check whether you can manage the settings from the administration screen of each linked service provider.
If you cannot manage the settings from the administration screen, work will be required by the service provider vendor. Please contact the service provider vendor using the following steps.
③ (For services where customers cannot make changes themselves) Confirm the following with the service provider
If you cannot update the SAML signing certificates from the administration screen of the linked service and work is required by the service provider vendor,
please contact the service provider vendor with the following content.
| The IdP service currently integrated with your service requires an update of the SAML signing certificates. Upon verification, it was found that operations could not be performed from the administration screen, so we understand that the update work needs to be performed by your company. Therefore, we would appreciate it if you could confirm and respond to the following points. ・Is it possible to specify the date and time for updating the SAML signing certificates? → To minimize the time of SAML failure due to certificate mismatch, we would like to match the update date and time of the SAML signing certificates on the IdP side. Please confirm if specifying the date and time of work is possible. ・Is it possible to upload two SAML signing certificates in your service? → Some services allow two SAML signing certificates issued by the IdP to be uploaded to support such updates. Please let us know if your service supports this. ・Will updating the SAML signing certificates affect the authentication sessions of existing users? → This overlaps with scheduling considerations, but if updating the SAML signing certificates on your service side will disconnect existing users' authentication sessions (i.e., requiring re-authentication via IdP), we need to carefully consider the certificate update timing on the IdP side. Please let us know. |
④ Plan the actual update schedule
Once you have categorized each service, consider the schedule for updating the SAML signing certificates.
After starting the update work, SAML integration will fail temporarily until the SAML signing certificates are updated on both the HENNGE Access Control side and the linked service side.
For services that you can update yourself (Pattern A) and services where you can specify the work date and time with the service provider vendor (Pattern B),
we recommend consolidating the work dates.
Additionally, for Pattern C, it is expected that it may take some time to complete the update work depending on the service provider vendor.
Therefore, we recommend prioritizing the services that fall under Pattern C.
For specific update procedures, please refer to the following help site.
▽SAML signing certificate renewal steps