AWS Single Sign-On supports zero-downtime external IdP certificate rotation

Posted on: May 13, 2020

AWS Single Sign-on (AWS SSO) administrators can now rotate the X.509 certificates they use for external identity providers (IdPs) with zero authentication downtime.

It is a best practice to thwart certificate compromise by periodically rotating certificates, and by enforcing short-lived certificate expiration dates as a forcing function to do so. When rotating certificates, administrators must update certificates on their IdP and AWS SSO which can cause authentication downtime during the process. To avoid authentication failures during the rotation, AWS SSO now enables administrators to install a replacement certificate in AWS SSO while the existing certificate remains available for use. Administrators can then update their IdP to enable the new certificate and remove the old certificate, without causing authentication downtime. AWS SSO enables administrators to have multiple active certificates to facilitate this graceful rotation. 

This feature is available in the AWS SSO management console at no additional cost within all AWS SSO supported regions. 

For more information on how to best manage external identity provider certificates within your AWS SSO environment, please see the AWS SSO - External IdP Certificate Management documentation.