SAML SSO Working Even if the IdP Signature Certificate is Expired

This article explains the behavior of Okta, functioning as the Service Provider (SP), when the Identity Provider's (IDP) certificate expires. Okta does not inhibit user authentication via SAML IDP upon certificate expiration. Instead, it visually flags the expiration date in red. This intentional design choice prevents mass user authentication failure due to certificate expiration, allowing administrators time to replace the certificate with minimal disruption.

• This information is relevant in situations where Okta has a configured IDP, and the IDP's certificate was uploaded into Okta. The context of the product involves the use of Inbound SAML/3rd party IDP certificates. The specific condition this applies to is when a 3rd party IDP certificate, hosted in Okta, expires.

• Secure Assertion Markup Language (SAML)

The issue in focus is users' ability to continue authenticating to Okta via an IDP, despite the expiration of the IDP certificate hosted in Okta.

The persistence of user authentication capability via an IDP in Okta, even after the IDP certificate expires, is not a system malfunction. This behavior is by design. The objective is to avoid scenarios where many users are locked out due to certificate expiration. It allows administrators to replace the expired certificate while maintaining regular operation, thereby minimizing the potential impact.