For the use of Single Sign-On (SSO), the service provider (d.vinci) and the identity provider (a service of your choice) exchange information in the form of a metadata XML file (see also Set up Single Sign-On).

The metadata XML file contains a certificate with an expiration date. This certificate must be updated regularly before it expires.


Updating the certificate takes place on the Basic Settings page in the SSO tab. Here, the new certificate can be uploaded.


Attention

  • Your IT colleagues are responsible for renewing the metadata XML file of your identity provider and providing it for upload in d.vinci.
  • Your system administrators (users with the right to edit SSO settings) must ensure that the metadata XML file is updated in d.vinci in a timely manner.
  • If the certificate contained in the identity provider's metadata expires, Single Sign-On will no longer function, and all SSO users will be locked out of the system unless they can also log in using a username and password.
  • Replacing the certificate after its validity has expired is not easily possible.


Manual Update

The metadata XML file, which contains the certificate, can be manually uploaded and must be manually updated accordingly.

Starting 20 days before expiration, users with the right to edit SSO settings will receive the following warning message:

The Single Sign-On certificate will expire soon. Users will then no longer be able to log in using Single Sign-On. Please update the certificate.


Note

The warning message is intended to assist system administrators and is therefore only displayed to users who can edit SSO settings and update certificates. System administrators who log in to the system only sporadically may miss the time window for the displayed warning. If you use the manual update, you should therefore keep track of the expiration dates of the certificates outside of d.vinci, e.g., by creating a calendar entry.


Automatic Update

You can use the automated retrieval of the metadata XML file if a URL path has been specified as the source of the metadata XML file. The system checks the URL daily and compares the file found there with the one used in d.vinci. If the system detects that the file behind the URL path differs from the one being used, it automatically downloads the new file and replaces the previous one. This ensures that the exchange data of the SSO services remains up to date, and the included certificates are renewed.

In most cases, the automated update works smoothly, and as system administrators, you only need to ensure that the file behind the URL path is regularly updated.

In exceptional cases, the automated update may fail for various reasons. d.vinci will then try again. After three failed attempts, the system will issue a warning message.
The failure of the update does not necessarily relate to the expiration date of the included certificate. It may happen that the certificate is still valid for a few weeks, but the automated retrieval still fails.

For these reasons, the following warning messages may be issued:

  1. The retrieval has failed 3 times, with more than 5 daysremaining until expiration (urgent):

    Single Sign-On is not functioning correctly. Please check the SSO settings.

  2. The retrieval has failed 3 times, with less than 5 daysremaining until expiration (very urgent):

    Single Sign-On is not functioning correctly. Please check the SSO settings.