I have a Jamf Pro server which is connected to Microsoft’s Entra ID for its directory service. Recently, I received an email from Microsoft letting me know that the SAML signing certificate for the Entra ID app I was using to provide a connection between Jamf Pro and Entra ID was coming up for expiration in about 30 days.
This certificate is used by Entra ID to sign the SAML tokens being issued to the Entra ID app and by default, this certificate is good for three years. For those interested, Microsoft has a KBase article available with more information about this topic:
Tutorial: Manage certificates for federated single sign-on: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tutorial-manage-certificates-for-federated-single-sign-on
The instructions for rotation of this certificate are pretty straightforward and were provided in the email sent to me by Microsoft.
I scheduled the rotation during a planned maintenance downtime and everything appeared fine once the new SAML signing certificate was in place and active.
However, when I logged into Jamf Pro following the certificate rotation, I noticed I had a new notification appearing:
Signing Certificate issued by SSO Identity Provider is expiring in 30 days
Since I had just rotated the SAML signing certificate and had verified that the new one (which does not expire in 30 days) was the active one, this message was concerning. After some research, I ran across a Jamf Nation discussion which provided an explanation for the message:
Even though the old SAML signing certificate was now marked as inactive, Jamf Pro was still detecting its presence and reporting (correctly) that it would expire in 30 days.
From there, the solution was straightforward: Delete the inactive SAML signing certificate from Entra ID.
This left only the active SAML signing certificate listed in Entra ID. This certificate has an expiration date greater than 30 days.
Once the inactive SAML signing certificate was deleted, Jamf Pro took about twenty minutes to register that fact. After that, the notification message disappeared from Jamf Pro without additional actions needed on my part