Vault uses a certificate for secure data transfer between the server and web browsers (HTTPS), and a separate certificate for SAML SSO and for Spark Messages.
The HTTPS web server certificate periodically rolls over with little impact. In some instances, a user may need to clear the local browser cache, but this is not typically required.
The SAML and Spark Messaging certificate rolls over every three (3) years and requires action from an Admin or a developer to ensure existing integrations work with the new certificate.
About the SAML SSO & Spark Messaging Certificate
All Vaults use the same signing certificate, which is rolled over every three (3) years. Prior to releasing a new certificate, Veeva sends out a maintenance notification detailing the upcoming rollover, including dates.
During the rollover, the previous certificate is still available and you can switch between new and previous certificates if needed. For example, if an integration breaks or you need to perform testing before switching over to the new certificate. Once the rollover period ends, the new certificate becomes the only active certificate.
The SAML SSO & Spark Messaging certificate rollover has five stages:
- New Certificate Publishing. The new certificate is available for download. You can start testing with the new certificate.
- New Certificate Testing Period. The new signing certificate can be tested during this period.
- New Certificate Rollover with Rollback Option. The new signing certificate becomes effective on all SAML Profiles and Spark connections.
- Support for New and Old Certificate. Previous certificate is still supported and can be rolled back, if additional testing is required.
- Final Certificate Rollover. The new signing certificate becomes effective again if you rolled back to the previous certificate. Previous signing certificate is no longer available.
For more detailed information about what to do during a certificate rollover, see SAML SSO & Spark Messaging Certificate Rollover.
Common SAML SSO and Spark Messaging Rollover Issues
- Some SAML SSO identity providers are able to automatically update to the new SP certificate, but some are not. The new certificate may need to be configured on your provider’s system prior to the initial rollover event. Please contact your Identity Provider administrator for details on the process to update the certificate on their servers. If you have other questions, you can always contact Veeva Support.
- When the new certificate is released, Vault SAML SP Metadata includes both the old and the new certificate. Some IdPs auto-update the certificates for their SP configuration by downloading the SP Metadata from the Vault SAML Profile, installing both the old and the new certificate. This may cause IdPs such as ADFS to reject Vault issued SP-initiated SAML calls because the IdP doesn’t know which certificate to use to validate the signature. See About SP Certificates.
- Some Spark Messaging integrations may cache the certificate, so when the initial certificate rollover occurs, the new certificate may not be picked up immediately. Ensure your cached certificates are set to refresh frequently.