Basware Purchase-to-Pay (P2P) Single Sign-On (SSO) Service certificate renewal


Summary:

Basware Purchase-to-Pay (P2P) Single Sign-On (SSO) Service certificate will expire on October 29, 2022.  To renew the certificate in a seamless manner, a maintenance activity will be performed on October 16 between 0400 to 1000 UTC.

During the maintenance activity, the new SSO certificate (Serial Number: 43ac5991a95321b684b985132323f966) will be set as primary and the old SSO certificate (Serial Number: 094bc75cad8a1d1474fcb4872ed367af) will be removed.

 

Details of the old certificate that requires replacement:

Serial Number: 094bc75cad8a1d1474fcb4872ed367af
Issuer: Entrust Certification Authority - L1K
Subject: CN = *.p2p.basware.com
Validity Date: September 30, 2021 to October 29, 2022

 

NOTE: As a first step, the new SSO certificate has been added as secondary and updated in the federation metadata.

 

The following steps need to be reviewed and verified by the customer’s internal IT department and/or 3rd party hosting provider that is managing the IdP.

If your Identity Provider (IdP) is checking that the SSO request coming from Basware P2P is signed or if your IdP is sending an encrypted token back to Basware P2P SSO, then the maintenance activity will impact your user logins. If the following recommended actions are not completed, SSO logins will fail until the new certificate is updated and integrated within the IdP trust setup for signing and encryption.

 

Instructions:

1) For customers using a local Basware metadata file

If the Basware Purchase-to-Pay Single Sign-On (SSO) integration is configured using a local copy of Basware's federation metadata file there are two options available:

2) For customers using Basware metadata URL

If SSO integration is configured using the Basware federation metadata URL (https://sso.p2p.basware.com/FederationMetadata/2007-06/FederationMetadata.xml) and configured to automatically update metadata information at regular intervals, it is recommended that you perform a manual trigger of the metadata update after the certificate maintenance on October 16, 2022.

 

Basware recommendations:

 

Frequently asked questions:

Q: Will the SSO login to Basware dev, test, and production P2P systems be impacted on different dates?

A: The change of certificate on Basware P2P dev, test, and production system SSO will be done on the same day - October 16, 2022.

Q: How do we know if our authentication to the Basware P2P system will be impacted by this maintenance?

A: If your logins to the Basware P2P service are using Single Sign-on (SSO) authentication, you could be impacted by this maintenance.

Q: How will my Basware P2P service access and usage be impacted if I do not take the necessary actions by October 16?

A: After the October 16 maintenance activity, the expiring certificate will no longer be used for SSO authentication. Therefore, if the IdP trusts using the old certificate are not updated, SSO logins to Basware P2P services will not work after the maintenance. 

Q: To whom should I forward the information related to this maintenance within my organization?

A: The details related to the maintenance should be forwarded to your IT department or to the IT service vendor who manages the IdP trust setup used for Basware P2P services.

Q: What should we do if we update the certificate or IdP trust on our side on October 16, 2022 but observe errors when trying to login to Basware P2P service?

A: If you encounter any issues after the maintenance, click here to file a case with Basware Support. The case will automatically include a reference to Service ticket BWPB0045738.

Q: Can we perform the update of the IdP trust for Basware P2P before the maintenance date?

A: You can perform the update early if your SSO solution supports multiple certificates, as the new certificate is already updated as secondary. The new certificate is already reflected in the federation metadata. Please do not remove or replace the expiring certificate before the October 16 maintenance activity.

Q: How can we download the new Basware P2P SSO certificate if needed?

A: If you require the new *.p2p.basware.com certificate in advance, you can download the new public certificate. You can also download the new certificate using the federation metadata URL.

Q: What do I need to do in case my IdP trust for Basware P2P SSO does not have a configuration setting for either a certificate or a metadata URL?

A: If the IdP setup does not require our certificate or metadata URL, no action is required in this case. However, it is still recommended to test the access to the P2P service via SSO after the October 16, 2022 maintenance is completed.

Q: If there are multiple IdP trusts setup to authenticate users to Basware P2P, what actions would be required in relation to this maintenance ?

A: The maintenance on October 16 will impact SSO authentication to all IdP trusts for login to Basware P2P.