When configuring a Secure Assertion Markup Language (SAML)-based authentication in Okta, each application typically uses an individual certificate by default for enhanced security.
Okta provides the option to have a single organization-wide (org-wide) SAML signing certificate that can be used across multiple applications. This flexibility can help organizations address unique security concerns or meet compliance requirements.
This article outlines the key differences between using a single org-wide SAML signing certificate and assigning individual certificates for each app.
- Okta Administrators
- Application Owners
- Identity and Access Management (IAM) Teams
- Security Teams
- Secure Assertion Markup Language (SAML)
Having an org-wide certificate simplifies certificate management, but it may expose a security risk if the certificate is compromised, as it would affect all applications relying on the same cert. To mitigate this risk, admins can leave the default individual certificates to specific applications, providing an additional layer of security and reducing the attack surface.
Steps to Assign a Unique SAML Certificate to an Application:
- Generate a New Certificate
Navigate to the application where an individual certificate is to be created. At the bottom of the Sign On tab, in the SAML Signing Certificates section, click on Generate new certificate.
- Update the Service Provider (SP)
Ensure the Service Provider (SP) for that application is updated with the new certificate's metadata.
- Monitor Certificate Expiration
Check each certificate's expiration date regularly and replace it before the expiration date to avoid service disruptions. Administrators will receive a reminder about expiring certificates as an item in the Tasks section of the Okta admin console about 60 days before a certificate's expiration date.
Related References
