This article clarifies why a new Security Assertion Markup Language (SAML) signing certificate cannot be activated for the Amazon Web Services (AWS) IAM Identity Center application in the Okta Integration Network (OIN). The issue occurs when attempting to rotate or activate a newly generated certificate before the initial application configuration is complete.

When attempting to activate the certificate, the following error message appears in the Okta Admin Console:

Unable to activate key

The underlying API response indicates the following error:

{"errorCode":"E0000039","errorSummary":"Operation on application settings failed.","errorLink":"E0000039","errorId":"oaed8QLr2s5T1i_WNnMUMExTQ","errorCauses":[{"errorSummary":"acsURL: The field cannot be left blank"},{"errorSummary":"entityID: The field cannot be left blank"}]}

• Okta Integration Network (OIN)
• Amazon Web Services (AWS) IAM Identity Center
• Security Assertion Markup Language (SAML) Signing Certificates
• Okta Identity Engine (OIE)
• Okta Classic Engine

Certificate activation fails because the required SAML configuration fields are left blank. The application settings for AWS SSO ACS URL and AWS SSO issuer URL must be populated before the system can process certificate updates or activations.

To resolve this issue, complete the application configuration before activating the certificate:

1. In the Okta Admin Console, navigate to Applications > Applications.
2. Select the AWS IAM Identity Center application.
3. Select the General tab and click Edit.
4. Enter the required values in the following fields:
   • AWS SSO ACS URL
   • AWS SSO issuer URL
5. Click Save.
6. Select the Sign On tab.
7. Locate the SAML Signing Certificates section.
8. Click Actions next to the desired certificate and select Activate.