This guide illustrates how to utilize the Okta Identity Providers API to generate a 2-year certificate, an alternative to the standard 10-year Identity Provider (IdP) certificate. For this demonstration, the Postman app will be used.
- Okta Administrators who want to generate a 2-year IdP certificate
- Users of the Identity Providers API
- Credential signing process
- Certificate generation process
Prerequisites
- Postman is configured for the Okta Environment. Please follow the steps to integrate POSTMAN with Okta.
- The Identity Providers collection has been downloaded for Postman
Steps
If the standard 10-year IdP certificate expiration period does not meet the requirements, a 2-year certificate can be generated using the procedure below.
- Open the Postman app and run the List IdPs request in the Identity Providers collection.
- To generate a new certificate, use the Generate Certificate request in the Identity Providers collection in Postman. Replace
{{url}}with the desired Okta instance URL and{{idpID}}with the Identity Provider ID. Use the "id" value that was noted down in the previous step for the{{idpID}}.
- Next, run the Update Signing Certificate request from the Identity Providers collection in Postman.
In the body of this call, update the kid for the "credentials" section with the "kid" of the "issuer" noted in step 1. Also, update the "signing" section with the "kid" value of the certificate noted in step 2.
"credentials": {
"trust": {
"issuer": "https://idp.example.com"",
"audience": "https://www.okta.com/saml2/service-provider/spCQJRNaaxs7ANqKBO7M"",
"kid": "74bb2164-e0c8-4457-862b-7c29ba6cd2c9"
// ("kid" of the issuer, noted in step 1)
},
},
"signing": {
"kid": "ds1yk42lTZbaEyxhIsa1Yeyh5sKDh3rppH2zjVV04wk"
// (this is the "kid" of the certificate noted in step 2)
}
}
-
Upon successfully executing the API call, navigate to the Okta Admin portal and refresh the page. The new 2-year certificate is now available for download.
