SAML SSO Works Even After Third Party IdP Signature Certificate is Renewed on the IdP’s Side

This article explains why SAML logins continue to work with the existing Identity Provider (IdP) certificate after the IdP certificate is renewed on the IdP end.

• Expired Certificate
• Identity Provider (IdP)
• Certificate Renewal
• Security Assertion Markup Language (SAML)

When a new IdP certificate is renewed using the same key pair, the following occurs:

• If the IdP certificate expires, the IdP may continue to use the expired certificate if permitted. 
• If the renewal involves issuing a new certificate without altering the public key or any information other than the validity date, the previously published public certificate can still validate the new certificate, as the key pair remains unchanged. 

However, if the IdP certificate is renewed by generating a new key pair (a process known as re-keying), the new public certificate must be uploaded to Okta to verify the IDP and validate its response. 

NOTE: SAML specifications do not require an expiry check. Okta does not validate the expiration date of the SAML IdP certificate, which means that SAML logins can continue to function even after the IdP certificates have expired. The SAML response will still be validated with the uploaded IdP certificate, but the expiration date will be disregarded.