Conversation
Partners are sometimes confused about the difference between our cert that we update every year, and their certs that they need to rotate. This explains the difference between the two, and the recommended ways for partners to update our cert, as well as instructions for updating their certs.
|
|
||
| The easiest and recommended way is via our metadata endpoint. Consistent with the [SAML metadata specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf){:class="usa-link--external"}, Login.gov's metadata for our sandbox environment is available at [https://idp.int.identitysandbox.gov/api/saml/metadata{{ site.data.saml.year.current }}](https://idp.int.identitysandbox.gov/api/saml/metadata{{ site.data.saml.year.current }}). Our production metadata endpoint is available at [https://secure.login.gov/api/saml/metadata{{ site.data.saml.year.current }}](https://idp.int.identitysandbox.gov/api/saml/metadata{{ site.data.saml.year.current }}). | ||
|
|
||
| This means that you don't have to manually copy our certificate from this page and then upload it to your systems once a year, during our [Annual Certificate Rotation](#annual-certificate-rotation). Instead, you can simply update the year in the metadata URL. |
There was a problem hiding this comment.
A suggestion to clean it up a bit:
This means you don't have to manually copy our certificate from this page and upload it to your systems once a year during our [Annual Certificate Rotation](#annual-certificate-rotation). Instead, simply update the year in the metadata URL
|
|
||
| This means that you don't have to manually copy our certificate from this page and then upload it to your systems once a year, during our [Annual Certificate Rotation](#annual-certificate-rotation). Instead, you can simply update the year in the metadata URL. | ||
|
|
||
| If your systems don't support ingesting the metadata via a URL, there typically is an option to upload a file. In that case, you would visit our metadata endpoint in your browser, then right-click anywhere inside the page, and select "Save As". The default filename will be metadata{{ site.data.saml.year.current }}.xml |
There was a problem hiding this comment.
If it makes sense -- A suggestion to update "there typically is an option to upload a file" to "an option to upload a file is typically available" so it reads:
If your systems don't support ingesting the metadata via a URL, an option to upload a file is typically available.
|
|
||
| If your systems don't support ingesting the metadata via a URL, there typically is an option to upload a file. In that case, you would visit our metadata endpoint in your browser, then right-click anywhere inside the page, and select "Save As". The default filename will be metadata{{ site.data.saml.year.current }}.xml | ||
|
|
||
| If there aren't any metadata options available to you, you will need to manually copy the certificate from the next section, then either paste it on your end, or save it to a file with a .crt extension, then upload it on your end so your app can access it. |
There was a problem hiding this comment.
Looks like ".crt" is marked as a regular text. Should it be marked in .crt inline code text?
| - text: Metadata | ||
| href: "/saml/getting-started/#metadata" |
There was a problem hiding this comment.
Changing headers is always dangerous. If we're linking to this section from somewhere, the link will break. Should we keep the section, or have you checked to make sure this won't break anything?
There was a problem hiding this comment.
We are not linking to it from the dev docs site or from the login.gov site. Are there other places that I should check?
There was a problem hiding this comment.
The Partner Portal, and IdP protocol error messages are candidates. I just checked and didn't turn up anything there.
monfresh
force-pushed
the
update-cert-docs
branch
from
abc70a8 to
89e8a05
Compare
3 participants
Partners are sometimes confused about the difference between our cert that we
update every year, and their certs that they need to rotate.
This explains the difference between the two, and the recommended ways for partners to update our cert, as well as instructions for updating their certs.