HelloID's self-signed certificates expire after a period of time. As such, it is periodically necessary to update the trust relationship between HelloID and Active Directory Federation Services (AD FS). If this is not done, end users may be denied access to HelloID when using AD FS as their identity provider (IdP). This article will walk you through the process of performing this update.
Important: This update should be performed off-hours, as end users will be unable to log in through AD FS while you are performing these updates.
Generate a new certificate
Using this instructions on this page, generate a new self-signed certificate and download a copy of it in .CER format. Make a copy of the saved certificate somewhere on your AD FS server.
Do not remove the old certificate yet—you may do that after you have completed all steps in this article.
Update the IdP configuration
Once your new certificate has been created, follow these steps to update the IdP configuration in HelloID.
- Navigate to Security > Authenticaton > Identity Providers.
- Click the Edit link for your AD FS entry.
- Select the Configuration tab, and look for any certificate options where your old certificate has been selected. Change those options to have your new certificate selected, instead. In the screenshot below, for example, we've replaced both Request Certificate and Response Decryption Certificate.
- Click Save to commit your changes.
Update Active Directory Federation Services
Follow these steps to update HelloID's Relying Party Trust in AD FS.
- On the AD FS server, open the AD FS Management console.
- On the left side of the window, select Relying Party Trusts. Then, double click on your HelloID instance's entry to open its properties pane.
- Navigate to the Encryption tab and click the Browse button.
- Browse to the HelloID certificate file you copied over to your AD FS server and open it. This will update the encryption certificate details. Verify that they are correct before moving on.
- Navigate to the Signature tab and click the Add button.
- Browse to the HelloID certificate file you copied over to your AD FS server and open it. This will add a new entry to the signature list. Verify that the new entry is correct before moving on.
- Select your old certificate and click the Remove button.
- Click OK.
Your AD FS server is now configured to communicate with HelloID using the updated certificate, and you should be able to log in to HelloID as expected.