This article clarifies whether Okta automatically replaces and activates new certificates for custom Security Assertion Markup Language (SAML) applications before the old certificate expires.
-
Custom Security Assertion Markup Language (SAML) Applications
Administrators receive a notification in the Tasks section of the Okta Admin Console and via email 60 days before the expiration. The administrator needs to renew the signing certificate for each custom SAML application.
Okta does not automatically replace and activate a new certificate before the old one expires. If the certificate were rotated automatically, the Service Provider (SP) would stop working because the trust with the new signature is not established.
Administrators receive a notification in the Tasks section of the Okta Admin Console and via email 60 days before the expiration. A manual rollover process is necessary to prevent downtime.
-
In the Okta Admin Console, go to Applications > Applications.
-
Select the custom SAML application.
-
Select the Sign On tab.
-
Scroll to the SAML Signing Certificates section.
-
5. Click Generate New Certificate.
-
NOTE: A new certificate is generated with an Inactive status, while the old certificate remains Active.
-
-
Download the new certificate or metadata.
-
Upload the new certificate to the SAML settings of the custom application.
-
NOTE: If the application does not support multiple certificates, perform this step during a scheduled maintenance window.
-
-
Return to the SAML Signing Certificates section in Okta.
-
Locate the new certificate.
-
Click Actions and select Activate.
