Updating your SAML public key or API key

SAML single sign-on uses cryptographically signed tokens known as Assertions. They are signed by your Identity Provider system (Ping Federate or Active Directory Federation Services, for example). Glance checks the signature to make sure the token is valid before accepting it. Your Identity Provider uses the secret key from an internal encryption certificate to sign Assertions. When you provision SAML at Glance, you give our system the public key from that certificate.

From time to time, your identity provider’s encryption certificate may change. This might be due to routine cryptographic key rotation, or less likely, if your identity provider’s secret key was compromised.

When your identity provider’s certificate changes, you must also change the public key you give our system.

You can give us up to five public keys. If you give us multiple public keys, we accept Assertion tokens signed with any of them.

Changing your public key with a Metadata Discovery Endpoint

  1. You may have a URL known as a Federation Metadata Discovery Endpoint from your identity provider. It is the URL of an XML document and looks something like this example.

    https://identity.example.com/FederationMetadata/2007-06/FederationMetadata.xml
    
  2. Log in to Glance by following these instructions.

  3. Go to the SETTINGS tab, scroll to the bottom, and click the Manage your single sign-on settings link.

  4. Scroll to the Metadata Discovery Endpoint line, click the Choose File button, enter your URL, and press Open.

  5. Scroll to the bottom of the page and click OK.

That updates your public key.

Changing your public key with text

  1. Make sure you have the text of your new public key. It is a block of text looking something like this but with more lines. Be sure it includes the first BEGIN CERTIFICATE and last END CERTIFICATE lines. You will need to copy your block of text and paste it into Glance. (Don’t copy this one, it’s just an example.)

    -----BEGIN CERTIFICATE-----
    MIIC3jCCu1gMGvKZTEqhAXZ2TPRz0pREDACTEDzBMA0GCSqGSIb3DQEBCwUAA4IB
    FAA5AZNwsjP6JkNo8CREDACTED6dXaLhRlUor58QouJca0nfNQebpRlLHZ5mA7Zi
    2dVqREDACTED8mABSESbC76J2gKPNnZEFlJyIxXtzMMA18YlrVwdOuU3YZ1noStU
    oLMVYQqyjPj7MSQTwKwTMY2e
    -----END CERTIFICATE-----
    
  2. Log in to Glance by following these instructions.

  3. Navigate to the SETTINGS tab, scroll to the bottom, and click the Manage your single sign-on settings link.

  4. Scroll to the first X.509 Public Key line.

  5. You may replace your existing public key with the new one. In that case delete all the text from the textbox, and paste in your new key. If you do this, Glance rejects future Assertion tokens signed with the old key.

  6. You may add a new public key to the existing one by pasting it into an empty X.509 Public Key text box. If you do this, Glance accepts future Assertion tokens signed with either key. Using multiple public keys allows a graceful key rotation operation.

  7. Scroll to the bottom of the page and click OK.

Changing your API Key

Refer to Glance Account Values.