Our site uses cookies to improve your browsing experience. To learn more please read our Privacy Policy
RSS Feed

Upcoming Metadata change in the Fronter SAML Service Provider

The following information only concerns customers using federated login. If you are unsure if this impacts you, please contact your Fronter representative

We are about to make an upcoming Metadata change in the Fronter SP (SAML Service Provider) which may affect login for all customers using federated login to access the Fronter learning platform.

The background for the changes is that the certificate and keys Fronter is using to sign SAML requests is about to expire and will be exchanged with a new certificate and key pair. This implies that all connected Identity Provider's (Idp's) must update the SAML metadata for Fronter in their system, in order to support the new keys.

  • On the 15th June we will publish new metadata with both the new and the old certificate.
  • On the 15th June we will notify the Identity Providers providing a link to the new certificate.
  • At 15:00 CEST on the 11th July we plan to switch from using the old certificate to using the new certificate for signing AuthnRequests.
  • On the 11th July we will update the metadata to only include the new certificate.
  • Until the 18th July 2016 we will support both the new and the old certificates for encrypted responses.


When IDPs will need to take action

  • IDPs that requires the AuthnRequest to be signed and where the system automatically loads the Fronter metadata, will need to take Action A listed below before 11th July 2016.
  • IDPs that requires the AuthnRequest to be signed and where the system is configured manually, will need to take Action B listed below at 15:00 Central European Summer Time (CEST) on the 11th July 2016.
  • IDPs that do NOT require the AuthnRequest to be signed, will need to either take Action A or Action B before 18th July 2016 depending on how the system is configured with the Fronter metadata.


Action A: Updating a system that loads the Fronter metadata automatically

If the system is configured to automatically reload the Fronter metadata then the endpoint that is being used will need to be changed. Previously we have distributed the metadata from:

https://sp.fronter.com/Shibboleth.sso/Metadata

This endpoint is now deprecated and must be changed to:

https://ws.fronter.com/saml/metadata/sp.fronter.com-metadata_signed.xml

This must be done to ensure the system has the new certificate to validate the new signature for the AuthnRequest, and/or uses the new certificate for encrypting the response.


Action B: Updating a system that is configured manually

If the system is configured manually, the current certificates will need to be replaced with the new one.

The old certificate that is being replaced is:

CN: FRONTER AS/serialNumber=980364399
Expiry: Jul 19 21:59:00 2016 GMT
SHA1 Fingerprint: 07:0E:4B:33:42:B6:1E:AA:0B:03:85:DC:00:82:0C:51:F9:47:CE:B8 

 

The new certificate:

CN: ITSLEARNING AS/serialNumber=980682765
Expiry: Jun 30 21:59:00 2018 GMT
SHA1 Fingerprint: CF:8C:3F:BB:BD:5D:2F:59:0A:91:F5:11:7F:D4:74:B4:62:88:B4:52

 

The new certificate can be downloaded from:

https://ws.fronter.com/saml/certificates/buypass-cf8c3fbbbd5d2f590a91f5117fd474b46288b452.crt.pem

If a system needs the intermediate certificate, it can be downloaded from:

https://ws.fronter.com/saml/certificates/buypass-intermediate-d08106634977caeaf21645bd095dcd0de64cf808.crt.pem