How to Check if a SAML Certificate is ExpiredHow to Check if a SAML Certificate is Expired

What

Users are unable to login using SSO and they are using SAML2.
In the security configuration you'll see the error message below. Find the configurations under the SSO settings in Administrator > Security > Admin > Click Edit on the SAML2 (WAYF, Shibboleth).

Wed Nov 25 11:20:05 UTC 2020 AuthenticationFailureServiceExceptionEvent
org.springframework.security.AuthenticationServiceException: Error validating SAML message; nested exception is org.opensaml.common.SAMLException: Received response has invalid status code

This error often occurs when the certificate is expired.

How

Checking the certificate:

• Go to Administrator > Security > Admin > Clicking Edit on the SAML2 (WAYF, Shibboleth)
• Copy the PEM formatted certificate found under "Certificate (PEM format) to use for secure communication with the IDP" and "Certificate (PEM format) of the IDP used to verify metadata signatures when applicable"
• Paste it in here one at a time: https://www.sslshopper.com/certificate-decoder.html
• The decoder will give you the following information:
  • Common Name
  • Valid From
  • Valid To
  • Serial Number
• Check the Valid To date to confirm, whether the certificate has expired.

If the certificate has expired, you'll need to generate a new one and update your SAML2 configurations.
Note this is in generally not something the Pure team generates. If you are unsure how to get this updated, your local IT might be able to help.