000035019 - Update an existing RSA SecurID Access Integrated Windows Authentication (IWA) Identity Provider SAML certificate

Document created by RSA Customer Support Employee on Apr 14, 2017Last modified by RSA Customer Support on Apr 29, 2020
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035019
Applies ToRSA Product Set:  SecurID Access
IssueAs an RSA SecurID Access administrator, you would like to update an Integrated Windows Authentication (IWA) identity provider's SAML certificate. 
  1. Generate a new IWA identity provider certificate as described in Generate and Download a Certificate Bundle for Service Providers and Identity Providers. The Common Name chosen before generating and downloading the certificate bundle can be any value for this certificate. That is, it is not required that it match the IWA server's hostname.
  2. Once the contents of the certificate bundle .zip file have been extracted, create a .pfx file consisting of the new certificate and its corresponding private key. For example, using the openssl utility: 

openssl pkcs12 -export -out IWASAML.pfx -inkey private.key -in cert.pem
Export password:  <press Enter>

  1. Copy the .pfx file to the target IWA server.
  2. Configure the RSA SecurID Access IWA connector to use the new .pfx file for signing identity assertions: 
    1. On the IWA server, click Start > Configure RSA SecurID Access IWA Connector.
    2. Set the Issuer Signing Certificate to point to the new PFX file path. For example:  C:\inetpub\wwwroot\RSASecurIDAccessIWAConnector\config\IWASAML.pfx. Alternatively, backup the existing IWA .pfx file being replaced and then copy the new .pfx file into same/existing IWA .pfx file path.
  3. Configure the IDRs to use the new IWA certificate for identity assertion verifications: 
    1. In the Administration Console menu, select Users > Identity Providers.
    2. Edit the IWA identity provider as in step 1 above. 
    3. At the bottom of the Connection Profile tab, use the Select File button to load the new cert.pem IWA SAML certificate. 
    4. Finish the wizard and then publish the changes.
ResolutionVerify that users can access the RSA SecurID Access application portal using IWA as before.