I am working on a web application that allows SAML for single sign on. For this purpose, we have issued an x509 certificate. The sign on works fine but the certificate we initially issued is now close to its expiry date and we need to issue a new one.
Could somebody please explain what the process is for issuing a new certificate to identity providers while maintaining the existing one?
We are using the python3-saml library if that is relevant but I think this is more of a SAML question than a Python one.
The SAML certificate can remain expired.
According to the OASIS SAML V2.0 Metadata Interoperability Profile v1.0, SAML uses the IdP or SP certificate purely as a container for the public key – it does not use any of the certificate's metadata (e.g. Subject or SAN), thus there is no validation that would warrant certificate expiry or renewal. That is handled solely at the level of the SAML metadata document.
(For the same reason, it's common for SAML certificates to be self-signed – their "trust" comes from being included in the SAML metadata, so the issuer has no bearing on it.)
So if you wish (or if your IdP insists), the safest option is to issue a new certificate using the same private key, and as far as SAML is concerned it will still be the same certificate.
(If you must generate a new keypair, that is also fine but you must also give your IdP your updated metadata document or upload the updated certificate separately.)
In fact, SAML doesn't really use the SP certificate for much – the IdP only issues assertions for a specific entityID as 'audience', whereas your certificate does not become part of the SP's identity at all. To the best of my knowledge, SP certificates are only used a) for assertion encryption if that option is enabled on the IdP, and b) signing the logout requests when SLO (SingleLogOut) is in use.