<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Concurrent Certificates for Inbound SAML SSO
May 13, 2025
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

When configuring an external Identity Provider (IdP) for inbound Single Sign-On (SSO) with Okta acting as the Service Provider (SP), managing the IdP's signing certificates is a critical aspect.

If the external IdP updates its signing certificate, only one of its certificates can be active for validating incoming SAML assertions within Okta's configuration for that IdP at any given time.

 

This means Okta, as the SP, does not offer an automatic grace period where it would simultaneously accept assertions signed by both the old and the new IdP certificates during a certificate transition.

Applies To
  • SAML Single Sign-On (SSO)
  • Inbound SAML
  • Third-Party Identity Provider (IdP) Certificates
Cause

This operational characteristic stems from how Okta, in its role as an SP, handles IdP certificate configurations.

 

When a new signing certificate for an external IdP is uploaded to Okta, it replaces the certificate for verifying the signature of SAML assertions from that specific IdP. 

 

There is not a built-in mechanism for Okta to concurrently trust multiple signing certificates from a single IdP for the same assertion validation process.

Solution

To ensure seamless authentication during an external IdP's certificate update when Okta is the SP, careful coordination and timely updates within Okta's IdP configuration are crucial.

  1. Coordinate with the IdP: Obtain the new certificate from the external IdP in advance of their switch-over.
  2. Update Okta Configuration: Upload the new IdP certificate to the specific IdP configuration within Okta. This new certificate will need to be designated as the one Okta should use for validating assertion signatures.
  3. Timing is Key: The update in Okta should be timed as closely as possible to the external IdP's switch to their new certificate. If the IdP switches before Okta is updated, authentication will fail because Okta will be trying to validate with the old certificate. Conversely, if Okta is updated too early, and the IdP is still using the old certificate, failures will also occur.
  4. No Automatic Overlap: Since only one certificate can be active for validation against an IdP in Okta, it is essential to ensure the correct certificate is active when the IdP begins signing assertions with it. Some IdP systems or manual processes might allow for a very brief window where they sign with both, or switch at a known time, facilitating the update on the Okta side.

Okta itself does not create an extended automatic grace period for dual certificate acceptance for a single IdP.

Recommended content

Still looking for help?
Loading
Concurrent Certificates for Inbound SAML SSO