<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Enabling Multiple Active IdP Signing Certificates for External IdPs
Feb 12, 2026
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

This article describes how to configure multiple active signing certificates for a single external Security Assertion Markup Language (SAML) identity provider (IdP). This feature allows for seamless certificate rotation with zero downtime by supporting up to two active certificates per IdP connection, reducing the risk of authentication failures during certificate swaps.

Applies To
  • SAML 2.0 External Identity Providers 
  • Certificates
  • Early Access (EA) features
Solution

To upload and manage multiple signing certificates for a SAML IdP, follow these steps:

  1. In the Admin Console, go to Security > Identity Providers.
  2. Locate the specific SAML IdP and select Edit.
  3. Navigate to the SAML Protocol Settings section.
  4. To add a second certificate, navigate to IdP Signature Certificate > Additional certificate (optional), select Browse files.

Browse files

  1. Upload the new certificate.
  2. Select Save.

 

Recommended content

Still looking for help?
Loading
Enabling Multiple Active IdP Signing Certificates for External IdPs