[6 Feb 2025] Upcoming Infrastructure Changes to Singpass Domain - id.singpass.gov.sg

Dear Partner,

We are making improvements to our infrastructure, which will involve changes to our SSL certificate and network configuration. This is an important update, and if ignored, it may cause serious disruptions to your services.

What’s Changing?

• SSL Certificate Update – Our certificate will be issued by a different provider.
• Network Changes – Our IP addresses will change as part of this migration.
• Differences in TLS Cipher Suite – The supported TLS cipher suites will change, which could affect your ability to establish a secure connection.

For the complete list, please refer here.

How This Affects You

Please take note of the following:

• If you pin our SSL certificate – Your integration may fail to establish a secure connection when our new certificate is deployed. We recommend trusting certificates issued by widely recognised Certificate Authorities instead. For more info, please refer to this link.
• If you whitelist our current IP addresses – Your integration may fail to connect to our services once the migration is complete, as our IPs will change. We strongly recommend resolving our domain name dynamically instead. For more info, please refer to this link.
• If you are using TLS 1.2 with TLS_ECDHE_ECDSA_WITH_AES_128_CCM or TLS_ECDHE_ECDSA_WITH_AES_256_CCM – These ciphers will no longer be supported and you may not be able to establish a secure connection once the migration is complete. Please update your configuration to use the supported cipher suites listed here.

Affected Endpoints

The following endpoints may be impacted by this migration:

• https://id.singpass.gov.sg/.well-known/openid-configuration
• https://id.singpass.gov.sg/.well-known/keys
• https://id.singpass.gov.sg/auth
• https://id.singpass.gov.sg/token
• https://id.singpass.gov.sg/bc-auth
• https://id.singpass.gov.sg/userinfo

Action Required

1. Test in Staging
   1. Please verify your integration in our staging environment from 24 Feb 2025 onwards to ensure a smooth transition before the production migration.
   2. This email may not have reached your technical or infrastructure teams directly. Please forward it to your relevant team members to ensure they are aware of these changes and can take the necessary actions.
2. Confirm readiness
   1. Complete the acknowledgement form to confirm your team has tested and prepared for the migration.

Timeline

The changes will happen on the following dates:

• Staging - 24 February 2025 - 11:00 AM
• Production - 24 March 2025 - 11:59 PM (2359 hrs)

For any queries, please submit a request at the Singpass Partner Support Center.

-----------------------------------------------------------------------------------------------------

Key Changes

1. SSL Certificate Update & Cert Pinning

We will be updating our SSL certificate, which will now be issued by a different Certificate Authority. If you have pinned our SSL certificate, your integration may fail to establish a secure connection when our new certificate is deployed.

What You Should Do:

• Avoid certificate pinning to ensure long-term compatibility.
• Trust only well-established Certificate Authorities.

2. IP Address Changes & IP Whitelisting

As part of this migration, our IP addresses will change. If you have whitelisted our existing IP addresses, your integration may fail to connect to Singpass once the migration is complete, as our IPs will change.

What You Should Do:

• Do not rely on static IP whitelisting.
• Resolve our domain dynamically instead of hardcoding IPs.

3. TLS Cipher Suite Differences

Our new infrastructure will support a different set of TLS cipher suites. If your integration is restricted to specific ciphers, you may experience connectivity issues. Please check the following cipher suites.

4. Stricter HTTP request validation

Our new infrastructure will enforce stricter HTTP request validation. Please ensure your HTTP requests comply with RFC 7230.

Common Issue to Check:

• Ensure GET requests do not include a content-length header. GET requests with a content-length header (including content-length: 0) will be rejected.

What You Should Do:

• Review your application’s request headers and overall message structure to ensure full compliance with RFC 7230.