SSO Manager - Single Sign On Certificate Expiration


The SSO Manager SAML certificates show as expired even though they are in an active integration. 

Background information

SAML (Security Assertion Language) is an open source standard. You can learn more about SAML here

SAML uses the certificate infrastructure as a "highly generic and extensible means of communicating key material. This specification takes no position on the allowable or suggested content of this element, nor on its meaning to a relying party. As a concrete example, no implications of including an X.509 certificate by value or reference are to be assumed. Its validity period, extensions, revocation status, and other relevant content may or may not be enforced, at the discretion of the relying party."

Since the expiry is usually not enforced it doesn't matter. What matters is when keys change (key rollover). To handle that the certificates are typically loaded from metadata published by the Idp. Which means that in the end it is the TLS certificate of the metadata endpoint on the Idp that is the base for the trust.


These certificates are in fact still valid and secure for the integration connections that are used. No changes are required to ensure the integrations stays secure and usable. 

Optional changes

  • Admins can choose to select "Generate new Certificate" and generate a new certificate at their own discretion.
    Note: If a new certificate is generated it will need to be used to replace the legacy certificate in your integration endpoint. 


Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section