Rotating the Laserfiche Cloud Public Key Certificate Used by Identity Providers for SAML Token Encryption.

June 13, 2024 | KB: 1014532

https://support.laserfiche.com/kb/1014532/rotating-the-laserfiche-cloud-public-key-certificate-used-by-identity-providers-for-saml-token-encryption-

Laserfiche Cloud

Important: Customers with identity providers configured to encrypt SAML tokens sent to Laserfiche Cloud should rotate the encryption certificate by July 31, 2024. Failure to do so can cause sign-in errors. The latest public key certificate can be downloaded from the single sign-on configuration page in Laserfiche Cloud Account Administration.

The current Laserfiche Cloud public key certificate used to encrypt SAML assertions is set to expire on July 31, 2024. Depending on the identity provider, behavior can differ when the certificate has expired.

Microsoft Entra ID: Clients using Microsoft Entra ID may still be able to sign in even after the certificate has expired. Entra may automatically fall back to turning off token encryption while marking the certificate in the admin center as being expired. In this scenario, emitted SAML tokens will no longer be encrypted, but clients will still be able to sign in to Laserfiche Cloud.
Okta: Clients using Okta may see an error message when attempting to sign in after the certificate has expired. The Okta Admin Console will show that the certificate is expired. If the Assertion Encryption option remains set to Encrypted, clients will not be able to sign in to Laserfiche until a valid certificate is uploaded.

Behavior can vary in other identity providers.

If Laserfiche is unable to decrypt a SAML token, users attempting to sign in may receive the following error message:

Unable to validate saml response. Encrypted Assertion(s) could not be decrypted using the configured Service Certificate(s). (6-42)

This error can occur when an identity provider is optionally configured to encrypt SAML tokens. The above error is returned when there is a mismatch between the public key certificate that the identity provider is using to encrypt the SAML assertions emitted to Laserfiche and the private key used for decryption in Laserfiche Cloud.

This mismatch most commonly occurs when the certificate is expired.

Download the updated certificate from Laserfiche Cloud Account Administration and rotate the corresponding certificate in the identity provider.

See the documentation for steps on replacing the certificate in common identity providers, Microsoft Entra ID and Okta.