SUNET TCS-medlemmar,
detta berör er om ni använder federerad inloggning (via er SWAMID-IdP)
mot Sectigo Certificate Manager och/eller portalen för
klientcert-självbetjäning.
Om er IdP inte tar emot uppdaterad metadata för tjänster via SWAMID
automatiskt behöver ni se till att era IdP-admins triggar detta manuellt
efter bytet för att det ska fortsätta fungera.
Jag tror ingen av er har krånglat med "hard-code login links" eller
"bypass the discovery service", men skulle så vara fallet, se
informationen om detta nedan.
Casper Dreef <casper.dreef(a)geant.org> writes:
> Subject: Important: Required Action for Trusted Certificate Service Subscribers Using Federated Access
>
> Dear TCS MRAO,
>
> We are writing to inform you about an update to the Sectigo Certificate Manager that will go live today, August 8, at 17:00CEST.
>
> The update will affect anyone logging into the Sectigo Certificate Manager using federated SSO (single sign-on) authentication.
>
> Scheduled Update:
> - Sectigo is issuing new assertion consumer service endpoints for the Sectigo Certificate Manager, with indexes 3 and 4, as well as new discovery response and logout endpoints.
> - The update will take effect at 17:00 CEST on today, August 8, 2024.
> - The Sectigo Certificate Manager will invoke logins for TCS subscribers using these new endpoints.
> - The old endpoints will be withdrawn from service in the next few weeks.
>
> Required Actions:
> - Certificate Service RAOs (Registration Authority Officers) that hard-code login links for their customers need to update their login URLs by following these instructions:
> - If you bypass the discovery service, you will need to update the URL with the following, substituting your IdP’s entityID where indicated:
>
> https://cert-manager.com/saml2int/Shibboleth.sso/geant?target=https://cert-…<CUSTOMER>/idp-saml2int&entityID=<your IdP's URL-encoded entityID>
> Note: <CUSTOMER> equals to the NREN tag used in SCM.
>
> If you use the discovery service, no manual URL update is required.
>
> IdP (Identity Provider) operators need to refresh their metadata to
> receive the new Sectigo Certificate Manager assertion consumer service
> endpoints. We recommend that you refresh metadata at least once a day
> or use MDQ (Metadata Query) as a best practice. If you follow our
> recommendations, no manual metadata update is required.
>
> If you have followed the above guidance and are still experiencing issues, please contact the Sectigo helpdesk.
>
> Best regards,
>
> Casper Dreef
> Service Specialist - Trust & Security
> GÉANT
--
Kent Engström, SUNET TCS
kent.engstrom(a)liu.se, +46 13 28 4444
