Knowledge BaseMetric InsightsSystemAuthenticationGenerating SAML SP metadata for Deployments that have the SSL cert applied externally (at the Gateway)

Generating SAML SP metadata for Deployments that have the SSL cert applied externally (at the Gateway)

Whenever the SSL certificate/private key for Metric Insights is applied externally: e.g. at the Ingress Controller, at the Load Balancer,  at the route level (for OpenShift only), we need to ensure that the same SSL certificate/private key pair is also applied in the Web master pod/Web container inside the  /opt/mi/ssl/server.crt and  /opt/mi/ssl/server.key files  before SAML metadata is generated and shared with the SAML IdP. Please see the specifications from this documentation for applying the SSL certificate/private key in the Web master pod/Web container

  • If the proper SSL cert/private key is not applied in the /opt/mi/ssl/server.crt and  /opt/mi/ssl/server.key files, then the metadata generated in MI and shared with the SAML IdP will contain the wrong certificate information
  • The MI web service (Apache) can't see externally placed SSL certificates when generating SAML metadata --> it can only see the SSL certs defined internally in /opt/mi/ssl
  • If you encounter SAML errors pertaining to a mismatch in certificate fingerprints, then please verify that the externally applied SSL certificate/private key has also been added internally to the /opt/mi/ssl/server.crt and  /opt/mi/ssl/server.key files inside the Web master pod/Web container
  • Once the externally applied certificate/private key has been added inside the Web master pod/Web container as described above, please regenerate SAML metadata in MI under the https://<Metric Insights Server>/simplesaml page as described in this documentation