<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

Enabling Multiple Active IdP Signing Certificates for External IdPs

Single Sign-On
Okta Classic Engine
Okta Identity Engine

Overview

This article describes how to configure multiple active signing certificates for a single external Security Assertion Markup Language (SAML) identity provider (IdP). This feature allows for seamless certificate rotation with zero downtime by supporting up to two active certificates per IdP connection, reducing the risk of authentication failures during certificate swaps.

Applies To

  • SAML 2.0 External Identity Providers 
  • Certificates
  • Early Access (EA) features

Solution

To upload and manage multiple signing certificates for a SAML IdP, follow these steps:

  1. In the Admin Console, go to Security > Identity Providers.
  2. Locate the specific SAML IdP and select Edit.
  3. Navigate to the SAML Protocol Settings section.
  4. To add a second certificate, navigate to IdP Signature Certificate > Additional certificate (optional), select Browse files.

Browse files

  1. Upload the new certificate.
  2. Select Save.

 

Loading
Okta Support - Enabling Multiple Active IdP Signing Certificates for External IdPs