How to Rotate your External IdP Certificates in AWS IAM Identity Center (successor to AWS Single Sign-On) with Zero Downtime

8 minute read
Content level: Intermediate
0

In 2020, we announced that AWS Single Sign-On supports zero-downtime external IdP certificate rotation. In this article, I will will demonstrate two examples using Azure AD and Okta. I will also demonstrate how to rotate your SCIM token for automatic provisioning.

Introduction

As announced in May 2020, you can now rotate the X.509 certificates they use for external identity providers (IdPs) with zero authentication downtime in IAM Identity Center (successor to AWS Single Sign-On).

It is a best practice to thwart certificate compromise by periodically rotating certificates, and by enforcing short-lived certificate expiration dates as a forcing function to do so. When rotating certificates, administrators must update certificates on their IdP and IAM Identity Center which can cause authentication downtime during the process. To avoid authentication failures during the rotation, IAM Identity Center now enables administrators to install a replacement certificate in IAM Identity Center while the existing certificate remains available for use. Administrators can then update their IdP to enable the new certificate and remove the old certificate, without causing authentication downtime. IAM Identity Center enables administrators to have multiple active certificates to facilitate this graceful rotation.


Prerequisites

You will need administrative access to AWS IAM Identity Center


Procedure for Azure AD

We are going to generate a new SAML Signing Certificate in the Azure portal that we will import into AWS IAM Identity Center. Once this new certificate is imported, and made active in Azure, we can delete the old certificate with no interruption to single sign-on


Generate the new SAML Signing Certificate

  1. Login to your Azure AD Portal and navigate to Enterprise Applications. Select the application that corresponds to the AWS IAM Identity Center you want to update.
  2. From the left navigation pane, choose Single sign-on.
  3. Scroll down to the SAML Certificates section and choose the edit icon. You should see one certificate listed with the status of Active.

  1. Click + New Certificate and then click Save. You will now see two certificates listed, one with a status of Active and the other Inactive.

  1. Download the new certificate by clicking on the three dots to the right of the Inactive certificate, and choose PEM Certificate Download. Next, we will import the downloaded certificate in AWS IAM Identity Center.

Import the New Certificate in AWS IAM Identity Center

  1. Login to the Management Account of your AWS organization with an identity that has appropriate permissions to modify AWS IAM Identity Center settings. I recommend having a secondary method like an IAM user available in case you inadvertently lose single sign-on access.
  2. Navigate to IAM Identity Center and choose Settings from the left-hand menu. Scroll down to Identity Source, click the Actions drop-down, and choose Manage Authentication.
  3. Import the new certificate by clicking Import certificate, then Choose file, and select the .pem file that you downloaded earlier. Click Import Certificate.
  4. You will now see two certificates listed. You can have a maximum of 2 certificates in IAM Identity Center at any given time.


Rollover the Certificate and Clean-Up

Now we need to activate the new certificate and clean up the old certificate resources.

  1. Switch back to your Azure portal and activate the new certificate by clicking on the three dots next to the Inactive Certificate and choose Make Certificate Active. Accept the notification by clicking Yes. You should now see the new certificate status as Active and the old one as Inactive.
  2. At this point, SSO access to AWS should still be working because you have both the old and new certificates imported. Close the Certificate popup in Azure, and you will be prompted to Test single sign-on. I recommend clicking No here and testing it in a separate browser or incognito window to avoid interrupting your current session.
  3. Now that you have verified single sign-on is working, you can clean up the old certificates.
  4. In the Azure portal, click the Edit button in the SAML Certificates section, then click the three dots to the right of the Inactive certificate, and finally choose Delete Certificate. Confirm your selection by clicking Yes.
  5. Switch back to AWS IAM Identity Center, click the radio button next to the old certificate, type the word DELETE in the box to confirm, and click Delete certificate.

Congratulations, you have successfully rolled-over you SAML certificate. Now let's rollover our SCIM token used for automatic provisioning.


Rollover the SCIM Token

  1. Navigate to AWS IAM Identity Center and choose Settings from the left-hand menu. Scroll down to Identity Source, click the Actions drop-down, and choose Manage Provisioning.
  2. You should see one Access token listed. You can have a maximum of two active Access tokens at any given time. Click Generate token. Copy the access token to a safe place like a password vault. Important: This is the last time the token will be shown. You cannot recover this access token later. However, you can generate new tokens at any time.
  3. Switch back to the Azure portal and choose Provisioning from the left hand menu. Click Edit Provisioning at the top.
  4. Update the Secret Token by clicking the drop-down arrow next to Admin Credentials and pasting the token that you copied earlier into the Secret Token field. Click Test Connection and you should receive a message at the top right that the connection was successful.

  1. Click the Save button to save the new token.
  2. Switch back to the AWS IAM Identity Ceter, click the radio button next to the old Access token, click delete, type the word DELETE to confirm, and click Delete Access token.

Congratulations, you have successfully rolled-over your SCIM token for Azure provisioning.


Procedure for Okta

The steps for this procedure are almost identical to the Azure steps above.

Generate the new SAML Signing Certificate

  1. Login to the Okta portal and navigate to Applications. Choose the application that corresponds to your AWS IAM Identity Center integration. Click the Sign On tab.
  2. Generate the new SAML certificate by scrolling down to the SAML Signing Certificates section and clicking the Generate new certificate button.
  3. You should now see two certificates listed; one with a Status of Active and the other Inactive. Click the Actions button to the right of the Inactive certificate and choose Download certificate. The certificate will be downloaded in PEM format with a .cer extension.


Import the New Certificate in AWS IAM Identity Center

These steps are identical to the procedure in the Azure section except you will choose the file with the .cer extension.


Rollover the Certificate and Clean-Up

  1. Switch back to your Okta portal and activate the new certificate by clicking on the Actions button next to the Inactive Certificate and choose Activate. Accept the notification by clicking Activate Certificate. You should now see the new certificate status as Active and the old one as Inactive.
  2. At this point, SSO access to AWS should still be working because you have both the old and new certificates imported. Test single sign-on by opening a separate browser or incognito window to avoid interrupting your current session.
  3. Now that you have verified single sign-on is working, you can clean up the old certificates.
  4. In the Okta portal, click the Actions button to the right of the Inactive certificate, and finally choose Delete.
  5. Switch back to AWS IAM Identity Center, click the radio button next to the old certificate, type the word DELETE in the box to confirm, and click Delete certificate

Rollover the SCIM Token

  1. Follow steps 1 and 2 from the Azure procedure above to generate a new SCIM token n the AWS IAM Identity Center console.
  2. Switch back to the Okta portal and choose the Provisioning tab at the top of the application menu. Choose Integration from the left sub-menu.
  3. Update the API Token by clicking the Edit next Integration and pasting the token that you copied earlier into the API Token field. Click Test API Credentials and you should receive a message at the top that verification was successful.

  1. Click the Save button to save the new token.
  2. Switch back to the AWS IAM Identity Center, click the radio button next to the old Access token, click delete, type the word DELETE to confirm, and click Delete Access token.

Congratulations, you have successfully rolled-over your SCIM token for Okta provisioning.


Conclusion

In this guide, I demonstrated the procedure for rolling over your SAML signing certificate and SCIM token for automatic provisioning in Okta and Azure AD. For additional information, refer to the AWS IAM Identity Center documentation , the Azure AD SSO Integration tutorial, and the Integrating Okta with AWS SSO blog post