Maintain SAML certificates

Your SAML applications use X.509 certificates to confirm the authenticity and integrity of messages shared between the Identity Provider (IdP) and the Service Provider (SP). As a Super administrator, you can use the Admin console to:

  • Easily view the X.509 certificates in use by your SAML applications
  • Identify the X.509 certificates that are about to expire
  • Create new certificates and assign them to your SAML applications. This is called certificate rotation.

Why rotate SAML certificates?

X.509 certificates have a five-year lifetime. You should rotate a certificate if it's about to expire, or if it becomes compromised. If a certificate expires before you rotate it, your users won't be able to use SSO to sign in to any SAML applications that use that certificate until you replace it with a new certificate. 

Before the expiration of your default certificate, add a second certificate with a new 5 year lifespan, then switch your apps from the expiring certificate. Having two valid certificates allows you to switch some apps over to the new certificate as a test, without affecting apps that are still using the older certificate. When you've moved all apps over to the new certificate, you can delete the old certificate.

Important: After assigning a new certificate to a SAML app in Admin console,  you also need to update the corresponding SP side SSO configuration with the new certificate, or SSO with the app will fail.

Manage SAML certificates

Your account has one default certificate you can use for all your SAML apps. You can add a second certificate, or delete one or both certificates and generate new certificates:

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAuthenticationand thenSSO with SAML applications.

    The Certificates section shows your current X.509 certificates. You can have up to 2 certificates at one time. The certificate name, expiration date, contents, and SHA-256 fingerprint are shown. Use the buttons at right to copy, download, or delete a certificate.

  3. (Optional) If you have only one certificate, click Add another certificate to create a second certificate.

    Note: The most recently generated (newest) certificate becomes the default certificate used to set up SSO for new SAML apps.

  4. (Optional) To create a new certificate:
    1. Click Delete Delete to delete a certificate.

      If the certificate you're deleting is used by any installed SAML apps, a window lists the affected apps, and warns you that SSO with the app will be unavailable until you assign a new certificate to those apps.

    2. Click Delete certificate. Deleting a certificate has these results:
      • If you have one certificate, a new certificate is automatically generated to replace it.
      • if you have two certificates and delete certificate 1, certificate 2 replaces certificate 1.
  5. If you replaced a certificate used by any of your SAML apps, follow the steps in the next section to assign the new certificate to the affected apps. You'll also need to update the certificate in the SSO settings for those apps on the SP’s administrative website.

Tip: SAML certificate events (deletion, creation, changing a SAML app's assigned certificate) are logged in the Admin audit log.

Update the certificate used by a SAML application

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Click the SAML app to open its Settings page.
  4. Click Service provider details.

    Under Certificate, the current certificate used by the app is shown, including certificate ID and expiration date. If you deleted the certificate that was initially used to set up the app, you'll see the warning No certificate assigned

  5. Click the Down arrow Down Arrow and choose a certificate.
  6. (Optional) If there's no other certificate available, or you need to create new certificates, click Manage certificates and follow the instructions in Manage SAML certificates above.
  7. After changing the certificate assigned to the SAML app, make sure to also update the app's SSO configuration with the new certificate on the Service Provider's website. SSO with the SAML app won't work until the SP-side configuration is also updated. 

Important: After you replace a certificate, it may take up to 24 hours for the new certificate to be available for use by your SAML applications.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
14190226029345290872
true
Search Help Center
true
true
true
true
true
73010
false
false