For the use of Single Sign-on (SSO), the service provider (d.vinci) and the identity provider (that you have chosen) exchange information via a metadata XML file (see also Set Up Single Sign-on).
The metadata XML file contains a certificate with an expiration date. This certificate must be renewed regulary before expiring.
Caution
- Your IT collegues are responsible to provide a renewed metadata XML file for uploading in d.vinci.
- Your system administrator (users with the right to edit SSO settings) must ensure that the metadata XML file is regularily updated in d.vinci.
- If the contained certificate expires, SSO can no longer be used and all SSO users will be shut out of the system unless they have a username and a password for regular login.
- After the certificate has expired, changing the metadata XML file bevomes troublesome.
Manual Updating
The metadata XML file that contains the certificate can be manually uploaded to d.vinci. Accordingly, it must be updated manually, too.
Starting 20 days before expiration, users with the right to edit SSO settings will see the following warning:
The single sign-on certificate will expire soon. Users will no longer be able to log in with the single sign-on. Please update the certificate.
Note
The warning message is intended to support system administrators and is therefore issued only to users who can edit the SSO settings and update the certificates. System administrators who log in to the system only sporadically may miss the time window for the displayed warning. If you use the manual update, you as administrator should therefore keep an eye on the expiration dates of the certificates outside of d.vinci, e. g. by a calendar entry.
Automated updating
You can use the automated retrieval of the Metadata XML file if you have specified a URL path as source of the Metadata XML file. The system checks the URL daily and compares the file found there with the one used in d.vinci. If the system detects that the file behind the URL path differs from the used file, it automatically downloads the new file and replaces the previous one. In this way, the exchange data of the SSO services remain up-to-date and the included certificates are also renewed.
Usually, the automated update works smoothly and as a system administrator you only need to make sure that the file behind the URL path is updated regularly.
In exceptional cases, the automated update may fail for various reasons. d.vinci will then try again. After three failures, the system issues a warning message.
The failure of the update does not necessarily have to do with the expiration date of the included certificate. It may happen that the certificate is still valid for a few weeks, but the automated retrieval still fails.
For these reasons, the following warning messages may be issued.
- Retrieval failed 3x, more than 5 days left to expiration (urgent):
Single sign-on is not working correctly. Please check the SSO settings
- Retrieval failed 3x, less than 5 days left until expiration (very urgent):
Single sign-on is not working correctly. Please check the SSO settings