Painfull process of Renewing IDP's Signing Certificate in SAML Integration

I learned my first SAML integration in 2005 using a product called SHARE-id developed by Oblix that was later part of IAM product suite of Oracle. Last 10 years there is a huge adaption of SAML protocol for a seamless integration with a centralized Authentication service providers like Azure, Ping, Forgerock, Google and so on. You can also write your own Authentication service supporting SAML. Its is easy to find free library to implement a SAML IDP (Identity Provider) or SAML Assertion consumption service for a SP (Service Provider). 

Here is a diagram of a standard SAML flow.

 

I will not describe how SAML integration work as many good articles are already available in the net. This write-up specifically focus on "Certificate Renewal" aspect of SAML integration. It is one of the major pain point in SAML integration. 

Context  :- 

One or many Service-Providers (SP/ web application) tied to a Identity-Provider (IDP/ Azure, Forgerock, ping, home-grown) in a “Circle of Trust”, where IDP shares the certificate with all SPs.  SP uses this certificate to verify the digital signature in SAML-Response that proves that it has indeed come from the chosen IDP.

 

Now the Issue :- 

Just like any other certificate, IDP’s certificate also expires every 3yrs. All the participating SP need to replace the expired cert with the new one.  When you have 100+ SAML apps in production,  co-ordinating with so many AppOwners and getting the cert replaced requires good amount of planning and effort

Possible Solutions :- 

(1) Plan it out in advance :- 

This is the bare minimum an IDP owner can do :-

o  Add a new certificate to each IDP in non-prod env 3 months before the expiry.  Coexistence of “to-be-expired” certificate with “new” certificate ensure no outage.

o The new cert (and/or IDP-metadata) then distributed to each AppOwner. 

o The expired certificate is removed from the IDP once all AppOwners confirm that their app's SAML integration is working with new certificate.  

o Same processes  followed in production. 

(2) Can we improve this process and automate it ?

Yes, all depends on your organization budget though :)  An IDP-Application-dashboard portal can be built where App-Owners can seamlessly onboard their SAML compatible application thru user friendly App registration process. 

o IDP owner proactively add the new certificate to the IDP before the expiry and portal then notify the app-owners.

o App-owners picks up the certificate and DP meta data and test the SAML integration.

o The portal then remove the old certificate from IDP immediately after app-owner certify the successful integration using the new certificate. 

Basically, the portal replace the the manual co-ordination between IDP-Owner and App-Owner by automating the IDP cert renewal process.  

(3) Any other Options?

Yes, switch to OIDC based integration, which is based on light weight token compared to XML heavy SAML response. OIDC token is signed using either a client-secret or jwks (Json Web Key). We will cover this in the next blog.

 

 

Practical Tips To Stay Focused In An Ever Distracting Environment

The companies are increasingly adapting Agile methodology, Continuous Integration and Development process to make the delivery efficient.  There is also a noticeable increase of productivity among the developers.  The management expectation has gone up and this creates a quite a bit of stress  on engineers to keep the pace. Staying focused on finishing one logical task becoming increasingly challenging for Lead Engineers when they handle multiple modules with a baggage of supporting many of their previous projects.

Here are few practical tips on staying focused on your high priority tasks.

1. Start your day addressing the Critical item only , not reading the email :-
Many of us starts our day going through the new emails and replying them.  I will suggest spending first two hours of your day addressing the P1 items like :-

• Any P1 follow-up items from yesterday. Note that you will use the email only for this purpose, not reading the new emails.
• Any P1 technical issues/ code you are working on.

This will give you a grip over all P1 items.  Reading new emails will distract you to new set of works, rather address the issues that bothering you.


2. Allocate specific time for new email :- 
So when should you read your new emails? Allocate two specific times in a day for new emails and replying them. For example :-

• Around 10am, two hours after you finish your critical items. 
• Again at 4pm, before winding down. Now you may have a TO-DO list for tomorrow from these emails.

3. Dealing with too many emails :- 
A very simple solution for this is to apply effective email-filter, so only the relevant email stays on the top.  All enterprise email program comes with filter utilities.
Here are some filter examples :-

• All emails where you are CCed should goes to "NotToMe" folder . The reason is obvious, you don't have to reply it immediately.
• We receives tons of email system generated email like, "server xxxx restarted", "The Certificate xxx is about to expire", etc.  Carefully choose these regular emails that belongs to trash. 
• Put a similar filter to all regular blah..blaha email straight to trash.
• Create sub folder for different subcategories.  For example anything coming from Jira should go to Jira subfolder.

Building a custom list of  email-filter will take time as it need constant adjusting. But this is one of the most critical tools that helps you avoid wasting time on non critical items.


4. Block few hours for Technical works :- 
The Senior Engineers spend more time on co-ordination and techno clerical work, thus loosing the focus on core technical work.  The best way to address this issue is block at least 16 to 20hrs of your calendar for development work.


5. Everything has a home :- 
Many external factor helps you stay focused.  Few examples could be :- A clean desk, decluttered workspace, clean email box etc.  How to have a clean desk ?  I got this key take away statement "Everything has a hone"  from a time-management training. Any object lies on your desk should have a home. The home could be a paper tray, drawer, book shelves, trash can etc.  Same goes for email.  Every email has a home (a rule based folder) .

6. Continuous Planning :- 
This is mostly applicable to Senior / Lead engineers who are very often face the questions like when it will be done? Why it is not done? What taking so much of time ? What is the estimation ? and so on .. So continuous planning is THE critical task, that will provide you the tool that will help you answering these questions.

Some useful tips on planning tools :-

• TO-DO list for the Month/ Quarter - Use tools like a formula based planning spreadsheet or Jira structure that will be handy in getting a near perfect report on the project status. Particularly, the number of remaining-hours required for your project stories. At-least 2 hrs a week need to be spend in updating the story detail. Usually I reserve 2 hrs every alternative Friday. 
• Ensure that your Monthly plan match the road map time line done by your manager. 
• TO-DO list for the Week :- Maintain a sticky note or a working journal for listing every-days TO-DO list.  This takes only 10 mins and can be done in the morning.  Plan your day around this weekly TO-DO list.

Conclusion :- 
I learned these over the years working in a very demanding environment.  I try my best to stick to these rules, though I just do fire fighting in some of the chaotic days. These tips are not new to many of you.  Love to hear your experience on dealing with distractions and how to stay focused.