Renewing IdP certificates

Third-party screenshots and options are correct at time of release but are subject to change outside of 1E control.

To maintain secure communication between the 1E Platform and the Identity Provider, 1E issues a public certificate when tenant provisioning occurs. This certificate is valid for one year. When ninety percent of the certificate's validity period has elapsed, a new certificate is issued and must be added to your Identity Provider. During activation, the 1E Platform ensures that authentication with the new certificate is successful.

Using Identity Providers you can:

  • Download certificates: Download a certificate to upload to your Identity Provider (IdP) to ensure continued access to the 1E Platform.

  • Manage certificate renewal: Keep track of your certificate's renewal date to plan ahead and avoid any disruptions.

  • Access logging and auditing: Access logs related to certificate renewal and download them for security and audit purposes.

Permissions

To use the features offered by Identity Providers you will need the following:

  • Infrastructure.Write: To select a new IdP certificate.

  • Infrastructure.Read: To view the list of certificates, and download the public key.

The Enhanced Settings module is only visible, and restricted to the Full Administrator role by default, or a configured role with the Security.Read permission. Refer to Roles and Securables and Roles.

Azure IdP certificates

To renew your Azure IdP certificate follow these steps:

  1. Navigate to Settings > Identity Providers to view your current, and any available certificates.

  2. If your current certificate is about to expire, you will see a message like the one shown, along with any available certificates generated by the Platform. Your current certificate will be marked as Active in Current Certificate. Please note the expiry dates for the certificates.

    Activating a certificate is not required before uploading it to your IdP and verifying its validity.

    If your certificate has expired, you will receive a notification similar to the one displayed. The process to download and activate a new certificate remains the same as when your certificate is about to expire.

  3. Any valid certificate can be selected as your current IdP communication cert. In the example, there is one available certificate with an expiry date of 02-23-2026, which is downloaded by clicking the download arrow icon.

  4. Save the generated .PEM file to your device or network location. The .PEM file will be in the format <certificate-thumbprint.pem>, for example:

    • ccd0f21c48f8b547d5fea7fa52105699719c0b3e.pem

  5. You must now update the Client Assertion Application used by 1E Platform to perform directory searches in your IdP. Refer to AAD - 1E Client Assertion.

    In our example, this is called the Client Assertion Application so the Azure admin portal the path is Azure Active Directory > Client Assertion Application > Certificates & secrets. Click Upload certificate.

  6. If the certificate uploads correctly you will see messages similar to the ones shown.

  7. Once the .PEM is successfully uploaded, you can activate the corresponding Azure identity provider certificate in the 1E Platform.

    Click Activate and select I've uploaded and configured this certificate. The Platform validates that the new certificate is working and sets it to active.

  8. The activated certificate is now listed as Active in the Platform.

Okta IdP certificates

To renew your Okta IdP certificate follow these steps:

  1. Navigate to Settings > Identity Providers to view your current, and any available certificates.

  2. If your current certificate is about to expire, you will see a message like the one shown, along with any available certificates generated by the Platform. Your current certificate will be marked as Active in Current Certificate. Please note the expiry dates for the certificates.

    Activating a certificate is not required before uploading it to your IdP and verifying its validity.

    If your certificate has expired, you will receive a notification similar to the one displayed for Azure. The process to download and activate a new certificate remains the same as when your certificate is about to expire.

  3. Any valid certificate can be selected as your current IdP communication cert. In the example, there is one available certificate with an expiry date of 02-23-2026, which can be downloaded by clicking the download arrow icon.

  4. Save the generated .PEM file to your device or network location. The .PEM file will be in the format, <certificate-thumbprint.pem>, for example:

    • ccd0f21c48f8b547d5fea7fa52105699719c0b3e.pem

  5. You must now update the Client Assertion Application used by 1E Platform to perform directory searches in your IdP. Refer to Okta Applications.

  6. Once the .PEM is successfully uploaded, you can activate the corresponding Okta identity provider certificate in the 1E Platform.

    Click Activate and select I've uploaded and configured this certificate. The Platform will then validate that the new certificate is working and set it to active.

  7. The activated certificate is now listed as Active in the Platform.

Logging and auditing

You can view logs related to certificate renewal and download them for security and audit purposes by navigating to Settings > Legacy Platform >  Monitoring > Audit Information log.

The following example shows that a user downloaded an IdP certificate, the type of event is classed as Infrastructure.