SecurID Access Prime: Replacing SAML Response Certificate of a SAML Identity Provider integrated with the Self-Service Portal
Article Number
Applies To
RSA Product/Service Type: SecurID Access Prime
Issue
Resolution
- Obtain the new certificate used to validate the SAML Responses from the identity provider.
- For each Prime server for which the SAML identity provider is used to access the Self-Service Portal on, do the following:
- Copy the new certificate to the Prime server's /tmp directory.
- Log into the Prime server as the primekit user.
- Navigate to the /opt/rsa/primekit/configs/amis directory.
- Linux: cd /opt/rsa/primekit/configs/amis
- Make a backup copy of the authconfig.xml file in this directory.
- Linux: cp authconfig.xml authconfig.xml.backup
- Edit the authconfig.xml file.
- Linux: vi authconfig.xml
- In the authconfig.xml file, look for the section of text between the <saml> and </saml> tags. This should contain the configuration of the SAML identity provider integrated with Prime. To double check, verify that the URL between the <idpURL> and </idpURL> tags refers to the identity provider from which the new SAML Response certificate was obtained.
- Within the <saml> and </saml> tags, note the values between the following tags:
- <samlJavaKeyStore> and </samlJavaKeyStore> (contains the path to the java keystore that holds the old SAML Response certificate.)
- <samlJavaKeyStorePassword> and </samlJavaKeyStorePassword> (contains the password for the above keystore.)
- Within the same <saml> and </saml> tags, modify the value between the <assertionSignatureValidationCertificateAlias> and </assertionSignatureValidationCertificateAlias> tags so that it is a new unique value. This new value will be used as an alias for the new SAML Response certificate when importing it into the keystore.
- Save the updated authconfig.xml file.
- Import the new SAML Response certificate into the <samlJavaKeyStore> using the new <assertionSignatureValidationCertificateAlias> value.
- Linux: /opt/rsa/primekit/java/latest/bin/keytool -import -alias <assertionSignatureValidationCertificateAlias> -file /tmp/<new SAML Response certificate> -keystore <samlJavaKeyStore>
- Restart the AMIS service.
- Linux: service tomcat-amis restart
- Restart the SSP service.
- Linux: service tomcat-ssp restart
- Test logging into the Prime SSP using the SAML identity provider.
Related Articles
"Authentication station status was 9" error when accessing RSA Authentication Manager Prime Self Service Portal (SSP) with… Number of Views How to disable the [Done] button in AMIS AM Prime Self Service Portal, SSP during QR code display Number of Views QR code not displaying in the RSA Authentication Manager Prime Self-Service Portal (SSP) Number of Views Configure password and security questions chained login for RSA Authentication Manager Prime Kit Self-Service Portal (SSP) Number of Views Prime kit tomcat.pid: Permission denied error when restarting services for RSA Authentication Manager Prime Kit Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8 Deploying RSA Authenticator 6.2.2 for Windows Using DISM Downloading RSA Authentication Manager license files or RSA Software token seed records
Don't see what you're looking for?
