Do we need to reupload SP metadata everytime when we renew tomcat cert

Devansh · ‎03-08-2022

Do we need to reupload SP metadata everytime when we renew the tomcat certificate. If yes, may know why we need to do this

Roger Kallberg · ‎03-08-2022

You need to update the trust in the IdP when you renew tomcat certificate. The reason is to get the new certificate value into the trust on the IdP as that is used for the communication between the system and the IdP.

Ratheesh Kumar · ‎03-08-2022

Thats correct, as Roger mentioned you have to. Its mentioned in the SSO deployment interactions and Restrictions

SAML SSO Deployment Interactions and Restrictions

FeatureFeature Interaction

Tomcat Certificate Regeneration

If you regenerate the Tomcat Certificates, generate a new metadata file on the Service Provider and upload that metadata file to the IdP.

Metadata Regeneration

The metadata file regenerates if you perform one of the following:

Change Self-Signed Certificates to Tomcat Certificates and vice-versa.
Regenerate Tomcat Certificates to ITL Recovery Certificates.

The CUCM downloads the regenerated metadata file and uploads to the IdP.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_guide/12_0_1/cucm_b_saml-sso-deployment-guide-1201/cucm_b_saml-sso-deployment-guide-1201_chapter_010.html#reference_AEC9AFBC3407CEB427B1310030C40F08https://www.cisco.com/c/e...

Hope this Helps

Cheers
Rath!

***Please rate helpful posts and if applicable mark "Accept as a Solution"***

Roger Kallberg · ‎03-08-2022

To add to this, if the IdP managers knows what their doing they can take the new certificate value and update the current trust in the IdP with that instead of uploading the new SP metadata file. This is commonly what we do once the Tomcat cert has been renewed.