SecurID Access Prime: Replacing SAML Response Certificate of a SAML Identity Provider integrated with the Self-Service Portal
Article Number
Applies To
RSA Product/Service Type: SecurID Access Prime
Issue
Resolution
- Obtain the new certificate used to validate the SAML Responses from the identity provider.
- For each Prime server for which the SAML identity provider is used to access the Self-Service Portal on, do the following:
- Copy the new certificate to the Prime server's /tmp directory.
- Log into the Prime server as the primekit user.
- Navigate to the /opt/rsa/primekit/configs/amis directory.
- Linux: cd /opt/rsa/primekit/configs/amis
- Make a backup copy of the authconfig.xml file in this directory.
- Linux: cp authconfig.xml authconfig.xml.backup
- Edit the authconfig.xml file.
- Linux: vi authconfig.xml
- In the authconfig.xml file, look for the section of text between the <saml> and </saml> tags. This should contain the configuration of the SAML identity provider integrated with Prime. To double check, verify that the URL between the <idpURL> and </idpURL> tags refers to the identity provider from which the new SAML Response certificate was obtained.
- Within the <saml> and </saml> tags, note the values between the following tags:
- <samlJavaKeyStore> and </samlJavaKeyStore> (contains the path to the java keystore that holds the old SAML Response certificate.)
- <samlJavaKeyStorePassword> and </samlJavaKeyStorePassword> (contains the password for the above keystore.)
- Within the same <saml> and </saml> tags, modify the value between the <assertionSignatureValidationCertificateAlias> and </assertionSignatureValidationCertificateAlias> tags so that it is a new unique value. This new value will be used as an alias for the new SAML Response certificate when importing it into the keystore.
- Save the updated authconfig.xml file.
- Import the new SAML Response certificate into the <samlJavaKeyStore> using the new <assertionSignatureValidationCertificateAlias> value.
- Linux: /opt/rsa/primekit/java/latest/bin/keytool -import -alias <assertionSignatureValidationCertificateAlias> -file /tmp/<new SAML Response certificate> -keystore <samlJavaKeyStore>
- Restart the AMIS service.
- Linux: service tomcat-amis restart
- Restart the SSP service.
- Linux: service tomcat-ssp restart
- Test logging into the Prime SSP using the SAML identity provider.
Related Articles
How to minimize problems using MSIE when installing Sentry CA more than once? Number of Views Okta SSO - SAML Relying Party Configuration as a step-up for Okta applications - RSA Ready SecurID Access Implementation G… Number of Views After changes in certificate keystore, Help Desk Admin Portal (HDAP) and Self-Service Portal (SSP) consoles not accessible… Number of Views Update an existing RSA Cloud Authentication Service Integrated Windows Authentication (IWA) Connector Identity Provider SA… Number of Views FIM DATABASE AND ADMIN PASSWORDS Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA-2026-07: RSA Authentication Manager Security Update for Third-Party Component Vulnerabilities Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
