System Administrators receiving a pop-up for a Security Assertion Markup Language (SAML) application that does not have a per-app certificate setup, but instead, an org-wide certificate in place, as listed in the screenshot below:
Security risk
The active certificate is scoped to your whole org. For the security of your apps, Okta recommends switching to a certificate scoped to only this app. To do this, click "Generate new certificate". Then click "Actions" on the new certificate and follow the SAML Setup Instructions.
- Certificate
- Security Assertion Markup Language (SAML)
- Org-wide Certificate
In May 2022, Okta changed the certificate system from an org-wide-based certificate to a per-application certificate.
To make the applications more secure from certificate vulnerabilities, Okta decided to change to a per-application certificate scheme, which provides a more flexible and secure way of signing the applications. If an application certificate gets compromised or exploited, it would only affect that application, not multiple or all of the applications present on the org.
It is not completely necessary to do so, but it is the recommended way of proceeding in this case. Please note that in some cases, depending on the application, there may be a need to provide the new certificate to the application admin or the support team to have it updated on the application side as well, so there will be no downtime or issues that can occur in users not being able to log in or access the application.
