SecurID Access Prime: Replacing SAML Response Certificate of a SAML Identity Provider integrated with the Self-Service Portal
Article Number
Applies To
RSA Product/Service Type: SecurID Access Prime
Issue
Resolution
- Obtain the new certificate used to validate the SAML Responses from the identity provider.
- For each Prime server for which the SAML identity provider is used to access the Self-Service Portal on, do the following:
- Copy the new certificate to the Prime server's /tmp directory.
- Log into the Prime server as the primekit user.
- Navigate to the /opt/rsa/primekit/configs/amis directory.
- Linux: cd /opt/rsa/primekit/configs/amis
- Make a backup copy of the authconfig.xml file in this directory.
- Linux: cp authconfig.xml authconfig.xml.backup
- Edit the authconfig.xml file.
- Linux: vi authconfig.xml
- In the authconfig.xml file, look for the section of text between the <saml> and </saml> tags. This should contain the configuration of the SAML identity provider integrated with Prime. To double check, verify that the URL between the <idpURL> and </idpURL> tags refers to the identity provider from which the new SAML Response certificate was obtained.
- Within the <saml> and </saml> tags, note the values between the following tags:
- <samlJavaKeyStore> and </samlJavaKeyStore> (contains the path to the java keystore that holds the old SAML Response certificate.)
- <samlJavaKeyStorePassword> and </samlJavaKeyStorePassword> (contains the password for the above keystore.)
- Within the same <saml> and </saml> tags, modify the value between the <assertionSignatureValidationCertificateAlias> and </assertionSignatureValidationCertificateAlias> tags so that it is a new unique value. This new value will be used as an alias for the new SAML Response certificate when importing it into the keystore.
- Save the updated authconfig.xml file.
- Import the new SAML Response certificate into the <samlJavaKeyStore> using the new <assertionSignatureValidationCertificateAlias> value.
- Linux: /opt/rsa/primekit/java/latest/bin/keytool -import -alias <assertionSignatureValidationCertificateAlias> -file /tmp/<new SAML Response certificate> -keystore <samlJavaKeyStore>
- Restart the AMIS service.
- Linux: service tomcat-amis restart
- Restart the SSP service.
- Linux: service tomcat-ssp restart
- Test logging into the Prime SSP using the SAML identity provider.
Related Articles
HTTP 404 or HTTP 405 error when using Integrated Windows Authentication (IWA) with the RSA SecurID Access Cloud Authentica… Number of Views Can the Microsoft Integrated Windows Authentication (IWA) icon be hidden in the RSA SecurID Access Application Portal? Number of Views Users cannot authenticiate to the RSA SecurID Access Portal or protected applications using Microsoft Integrated Windows A… Number of Views Integrate Citrix NetScaler with RSA Authentication Manager 8.x Number of Views "Authentication station status was 9" error when accessing RSA Authentication Manager Prime Self Service Portal (SSP) with… Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
Don't see what you're looking for?
