Introduction
Expected Outcome
This article briefly explains how to rotate your IDP certificates in Terraform Enterprise.
Prerequisites (if applicable)
- Using Terraform Enterprise with SSO SAML enabled.
Use Case
You IDP certificate is about to expire and needs to be replaced.
Procedure
-
Navigate to
https://<TFE HOSTNAME>/app/admin/saml -
Remove previous IDP certificates by pressing the
Revoke old IDP certificatebutton. - Paste the contents of your new IDP certificate in the
IDP certificatebox. - Press the
Savebutton.
Your current IDP certificate will be stored as the old IDP certificate, and your new IDP certificate will be shown in the IDP certificate box.
You are now able to use your old and new IDP certificate next to each other.
Caveat
If the Revoke old IDP certificate button is visible, you have an old IDP certificate.
This will not be overridden with the current certificate when adding your new certificate.
Meaning, after adding the new certificate you will have your new certificate visible in the IDP certificate, but the old certificate will still be the IDP certificate from a previous iteration.
This means that your current IDP certificate is no longer stored and available. When accessing Terraform Enterprise through the SAML login, you will see an error like:
CONFIGURATION ERROR: Invalid Signature on SAML Response
Also see this KB article for more information regarding the error.
You will first have to revoke the old IDP certificate before adding the new IDP certificate. If you have revoked the old certificate, the Revoke old IDP certificate button will disappear.
Now when adding your new certificate, the current certificate will be stored as the old IDP certificate.