Skip to Content
PlatformProduction DeploymentEnabling Single Sign-On (SSO)SSO Certificate Rollover

SSO Certificate Rollover

When your SAML signing certificate is approaching expiry, you can rotate it using the Certificate management section on the Settings / Single sign-on page.

The rollover process works by generating a new certificate and broadcasting it alongside the current one in the platform’s SAML Metadata endpoint, giving your Identity Provider time to start trusting it before the switch. Begin the process well in advance of the expiry date to leave enough time for your IdP to be updated and tested.

In most SAML setups the rotation can be completed without any interruption to SSO logins. The IdP only needs to know the SP certificate in two situations — both of which are optional features that are off by default in most setups:

  • The SP signs its AuthnRequests and the IdP is configured to verify those signatures.
  • The IdP encrypts its SAML assertions and uses the SP certificate to do so.

If either of these applies to your setup, update your IdP to trust the new certificate before promoting it to prevent interruption to SSO logins.

The Certificate management section is only visible to users with the Admin role. Users with the Admin:Read role cannot create or promote certificates.

Step 1: Create the rollover certificate

Navigate to Settings / Single sign-on and scroll down to the Certificate management section. You will see the fingerprint and expiry date of your currently active certificate.

Click Create rollover certificate to generate a new certificate.

Certificate management section showing the active certificate and the Create rollover certificate button The Certificate management section before a rollover certificate exists

Step 2: Trust the new certificate in your Identity Provider

Once the rollover certificate has been created, its fingerprint and expiry date are shown alongside the active certificate. From this point on, the rollover certificate is also included in the platform’s SAML Metadata endpoint.

Certificate management section showing both the active and rollover certificates Both the active certificate and the rollover certificate are now listed

You can use Download rollover certificate to obtain the certificate file and explicitly upload it to your Identity Provider (IdP) if required.

In typical SAML setups, the IdP does not need to explicitly trust or upload the Service Provider’s certificate. However, some IdPs require this step — check your provider’s documentation if you are unsure.

Step 3: Promote the rollover certificate to active

Once your IdP is configured to trust the new certificate, click Promote to active. A confirmation dialog will warn you that the current active certificate will be removed and replaced by the rollover certificate.

Promote rollover certificate confirmation dialog The confirmation dialog before promoting the rollover certificate

Only proceed once you have confirmed your IdP is configured to trust the rollover certificate. If it is not, users may be locked out of SSO.

Click Promote to active in the dialog to complete the rotation. The rollover certificate becomes the new active certificate and the previous one is removed.

Step 4: Verify the rotation

After promoting, confirm that the Certificate management section now shows the new certificate fingerprint and expiry date.

Certificate management section after a successful rollover, showing the new active certificate The new certificate is now active; a fresh rollover can be created at any time

Finally, verify that SSO login still works as expected. If you are currently logged in via SSO, it is recommended to test in a separate or incognito browser session to avoid accidental lockout.

Last updated on
Map Groups to User Roles on PlatformOverview