<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Changes to SAML App Vendor's SSO Certificate and Its Impact on Okta
Mar 20, 2026
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

When a SAML app vendor replaces their Single Sign-On (SSO) certificate, Okta requires a configuration update only in specific scenarios. In most cases, no action is necessary. Scenarios that require uploading the new certificate in Okta include Okta Integration Network (OIN) apps with explicit certificate upload requirements and custom SAML apps configured for encrypted assertions, signed requests, or Single Logout (SLO).

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Single Sign-On (SSO) Certificate
  • Service Provider (SP)
  • Expiring/Retired Certificate
  • Certificate Rotation
  • Single Logout (SLO)
Cause

In most cases, when a Service Provider sends notification of a certificate replacement, Okta does not require configuration changes. A certificate upload in Okta is necessary only when specific app configurations are in use.

Solution

When Does a Service Provider Certificate Replacement Require Changes in Okta?

 

The following scenarios require uploading the new SP certificate in Okta:

  • OIN apps that explicitly detail SP certificate upload requirements in their Setup Instructions
  • Custom SAML apps configured for encrypted assertions, signed requests, or Single Logout (SLO).

 

Uploading a certificate to a custom SAML application

The following steps describe how to update a certificate for a custom SAML application.

  1. Navigate to Applications > Applications and select the application.
  2. Go to the General tab.
  3. Choose Edit in the SAML Settings section.
  4. Select Next to proceed to the Configure SAML page.
  5. In the SAML Settings section, click Show Advanced Settings.
  6. Locate the Signature Certificate field under SAML Request and upload the new file provided by the Service Provider.
  7. Select Next and then Finish.

NOTE: If the impact of a certificate replacement is unclear, contact Okta Support for further assistance.

 

The following image shows an example of an OIN application (Salesforce) that supports the SLO feature.

 

Salesforce

 

The following image shows an example of a custom SAML application's advanced settings that allow the upload of a Service Provider certificate.

 

Salesforce settings

 

Related References

Recommended content

Documentation
Create SAML app integrations
Documentation
Create SAML app integrations
Documentation
Glossary
Documentation
Glossary
Still looking for help?
Loading
Changes to SAML App Vendor's SSO Certificate and Its Impact on Okta