Issue Knack SSL SSO Certificates (2021) - Annual action

[johnclary]

Todo:

• [x] Generate a new cert and store the pub/private keys in 1Password. Use a 720 day expiration.
• [x] Compile a list of all Knack apps with SSO
• [x] Reach out to CTM and let them know we'd like to coordinate an update of our certs
• [x] Schedule an app maintenance window for SSO change that works for CTM and us. It would probably be fine to do this late in the day during working hours. E.g. 3pm-5pm. Users who are already logged in will not be kicked out of the system.

During the maintenance window:

• [x] Install new certificates in Knack apps
• [x] Send updated app metadata to CTM
• [x] Confirm SSO is working

After maintenance is complete:

• [x] Add two calendar reminders to remind us of the expiration. One reminder 30 days before the actual expiration, and one reminder the working day prior to the expiration.

[ChrispinP]

Generated the new certs and updated One Password. Sent email to CTM to schedule update and any further prep.

[ChrispinP]

sent followup email to CTM

[ChrispinP]

Met with CTM. Set meeting to test ATD Forms and Banners apps with new certificates tomorrow.

[ChrispinP]

Sent list of apps we need Identity Provider certs for.

• [x] ATD Forms (atd-forms)
• [x] Street Banners (street-banners)
• [x] ATD Visitor Sign In (atd-visitor-log)
• [x] AMD Data Tracker (amd)
• [x] Data and Technology Services (dts)
• [x] Finance and Purchasing (finance-purchasing) / (finance-admin)
• [x] Human Resources (hr)
• [x] Parking Enterprise (parking-enterprise)
• [x] ROW Portal (row)
• [x] Residential Parking Permits (rpp) / (parking)
• [x] Shared Mobility (smo)
• [x] Signs and Markings (signs-markings)
• [x] Transportation Development Services (development-services)
• [x] Vision Zero in Action (vza)

[ChrispinP]

Scheduled time Friday to update certificates for remaining apps. updated one pass with IP certs.

[ChrispinP]

All SSO enabled apps now have updated certificates and if they had incorrect credentials such as ID Property or Issuer, they were also updated.

Any apps that were not new were resulting in a Public Cert Error so we had to recreate those instances in Azure AD. This also resolved a couple conflicts with the TDS, Data Tracker, and Finance apps.

If an app had old or incorrect SSO JS code it was updated. CSS code will need to be updated across apps so SSO buttons look the same, I only updated some apps.

Certs are set to expire 2 years from now and its unclear if app instances will need to be recreated again or not when the time comes. Its safe to assume that when we change certs again in 2 years that unless authentication changes between Azure and Knack, that all app instances will need to be recreated with updated metadata to create a new IP Cert.

All IP Certs have been updated in One Pass

Will set those Expiration Calendar reminders on Monday

[ChrispinP]

Sent meeting invite to team for 30 day expiration notice in 2023.

Added 2 calendar events to Data calendar.

Cert Dates are in One Pass

Will create a new issue for updating the SSO documentation.

[dianamartin]

Process took about 3 hours working with CTM. Perhaps in the future we'll schedule the outage for 3 hours.