You may have recently received an automated email warning about the imminent expiry of a federation certificate in your virtual datacentre, reading as follows:
“The federation certificate expiration is [DATE] [TIME]. An expired certificate may disable federation with the identity provider setup with your organization. The certificate can be regenerated from the Federation Settings page.”
The federation certificate is a part of the SAML Identity Provider process introduced in vCloud Director 5.1, to which we upgraded last year. SAML can be used within vCloud organisations as a basis for user authentication to their vDC (i.e. for authentication to your virtual datacentre through the vCloud portal account that you use to gain access to the consoles of your VMs). Most customers use either the inbuilt vCloud Director accounts or local Active Directories for this – if you are using SAML you should already know, as you will have had to explicitly set it up. Unfortunately vCloud Director does not actually check whether or not this message is relevant to you. It just sends out the warning regardless.
Federation certificates are valid for one year and warning e-mails go out a week before they expire. The update process is fortunately very straightforward:
1. Log into your vCloud environment and click on the Administration tab.
2. On the left hand side of this menu, choose the Federation link under the Settings menu. You should see the following screen:
3. The “Use SAML Identity Provider” box should be unchecked. If it is, continue with this procedure. If it is checked, then please stop here. Contact NSMS and we will advise further.
4. Scroll to the bottom of the screen to the Certificate section, displaying the expiration details underneath. Click the Regenerate button to create a new certificate.
5. The system will prompt you with the following message:
Provided the “Use SAML Identity Provider” box from the previous steps is unchecked, it is safe to click on OK and regenerate the certificate. The new certificate will be generated and the new expiration date displayed (it will be valid for one year).