Generating SAML SP metadata for Deployments that have the SSL cert applied externally (at the Gateway)

Whenever the SSL certificate/private key for Metric Insights is applied externally: e.g. at the Ingress Controller, at the Load Balancer,  at the route level (for OpenShift only), we need to ensure that the same SSL certificate/private key pair is also applied in the Web master pod/Web container inside the  /opt/mi/ssl/server.crt and  /opt/mi/ssl/server.key files  before SAML metadata is generated and shared with the SAML IdP. Please see the specifications from this documentation for applying the SSL certificate/private key in the Web master pod/Web container

  • If the proper SSL cert/private key is not applied in the /opt/mi/ssl/server.crt and  /opt/mi/ssl/server.key files, then the metadata generated in MI and shared with the SAML IdP will contain the wrong certificate information
  • The MI web service (Apache) can't see externally placed SSL certificates when generating SAML metadata --> it can only see the SSL certs defined internally in /opt/mi/ssl
  • If you encounter SAML errors pertaining to a mismatch in certificate fingerprints, then please verify that the externally applied SSL certificate/private key has also been added internally to the /opt/mi/ssl/server.crt and  /opt/mi/ssl/server.key files inside the Web master pod/Web container
  • Once the externally applied certificate/private key has been added inside the Web master pod/Web container as described above, please regenerate SAML metadata in MI under the https://<Metric Insights Server>/simplesaml page as described in this documentation