Creating a New Signing Key

Important:To create a new signing key, you must have the Administrative privileges in your organization’s identity provider and one of the following Flexera One roles: Manage organization or Administer organization. For complete descriptions of each role available in Flexera One, see Flexera One Roles.

The signing key is an RS256 public key used by Flexera One to sign authorization requests from Flexera One to your identity provider. Your identity provider will use this key to verify communication is coming from Flexera One.

This Flexera One signing key is only copied to your identity provider if you have elected to have communication from Flexera One to your identity provider to be signed. For the signing election details, see Adding a New Identity Provider > Sign Authorization Request.

Important:You only need to create a new signing key if you have enabled Sign Authorization Request in Adding a New Identity Provider. Otherwise, you can ignore this section.

To create a new signing key:

1. Go to the Identity Providers page (Administration > Identity Providers).
2. Click the identity provider record.
3. In the identity provider record, click the Signing Keys tab.
4. Click the New Signing Key button.
5. Select between 2 and 10 years from the Number of Years Valid drop-down menu.
6. Click Save.
7. In the signing key’s corresponding Actions column, click the ellipses (...) to reveal the options Activate or Show Key.
8. Click Show Key to reveal the signing key. Save the signing key in your identity provider SAML application setup.

See your identity provider vendor’s documentation for saving the signing key. Below are documentation links for Microsoft Azure:

Advanced certificate signing options in the SAML token for gallery apps in Azure Active Directory 
Manage certificates for federated single sign-on in Azure Active Directory 

Important:At this time, Flexera One does not support Okta SAML App Wizard: Show Advanced Settings > Enable Single Logout.

9. In the signing key’s corresponding Actions column, click the ellipses (...) and click Activate.
10. When the Activate Signing Key pop-up window appears, click Activate.

Once the signing key is activated, the Status column will change from Inactive to Active.

Important:Only one signing key can be active at a time. Only the active signing key will be used to sign AuthnRequests. Activating this one will deactivate the currently active signing key.

Rotating Your Signing Keys

It is recommended to periodically rotate your signing keys. To date, the rotation of signing keys in Flexera One is a manual process that includes the suggested steps:

To rotate your signing keys:

1. In Flexera One: Generate a new Signing Key.
2. In Flexera One: Download the new Signing Key.
3. In your identity provider: Upload the new Signing Key.
4. In Flexera One: Set the Signing Key to active.