Subject: Important: Required Action for Trusted Certificate Service Subscribers Using Federated Access Dear TCS MRAO, We are writing to inform you about an update to the Sectigo Certificate Manager that will go live today, August 8, at 17:00CEST. The update will affect anyone logging into the Sectigo Certificate Manager using federated SSO (single sign-on) authentication. Scheduled Update: - Sectigo is issuing new assertion consumer service endpoints for the Sectigo Certificate Manager, with indexes 3 and 4, as well as new discovery response and logout endpoints. - The update will take effect at 17:00 CEST on today, August 8, 2024. - The Sectigo Certificate Manager will invoke logins for TCS subscribers using these new endpoints. - The old endpoints will be withdrawn from service in the next few weeks. Required Actions: - Certificate Service RAOs (Registration Authority Officers) that hard-code login links for their customers need to update their login URLs by following these instructions: - If you bypass the discovery service, you will need to update the URL with the following, substituting your IdP’s entityID where indicated: https://cert-manager.com/saml2int/Shibboleth.sso/geant?target=https://cert-… IdP's URL-encoded entityID> Note: <CUSTOMER> equals to the NREN tag used in SCM. If you use the discovery service, no manual URL update is required. IdP (Identity Provider) operators need to refresh their metadata to receive the new Sectigo Certificate Manager assertion consumer service endpoints. We recommend that you refresh metadata at least once a day or use MDQ (Metadata Query) as a best practice. If you follow our recommendations, no manual metadata update is required. If you have followed the above guidance and are still experiencing issues, please contact the Sectigo helpdesk. Best regards, Casper Dreef Service Specialist - Trust & Security GÉANT