With SAML SSO, certificates are exchanged between the service provider (anny) and the identity provider (e.g. Microsoft). These certificates are essential for secure authentication during SSO. The certificates are used to sign the exchange of data between the service provider and the identity provider. Both parties can check the signature to ensure that the request has not been compromised.

These certificates are exchanged during setup via the metadata. Each certificate has a specific expiration date. Once this date is reached, the certificate is no longer valid. All requests signed with an expired certificate are rejected.

A key rollover is carried out regularly so that login is still possible. This takes place in two steps.

Step 1: A new certificate is created and published

At this point, both certificates are valid and the identity provider or service provider can save the new certificate. Requests continue to be signed with the existing certificate. This means that there is no interruption.

Step 2: The old certificate is no longer used

After a grace period, the old certificate is no longer used and is no longer published in the metadata. All requests are now signed with the new certificate. The service provider or identity provider has already stored this certificate in the meantime.

This ensures that the login is possible at all times without interruptions.

If your identity provider performs the key rollover and you have stored the metadata URL with anny, you have nothing further to do. We check twice a day whether your identity provider has published new certificates and update them with us.

If your identity provider is part of a federation such as the DFN AAI, you do not need to do anything else. We take care of the key rollover automatically. As soon as your identity provider has published the certificate in the federation, we will update it for you.

As a service provider, we carry out the key rollover fully automatically. 14 days before the certificate expires, we create and publish the new certificate. You will then receive a notification from us.

As a rule, your identity provider automates these certificates fully automatically. If this does not happen, you must store the new certificate in your identity provider.