SAML Request Certificate Expiration Date

Loading

Skip to Navigation Skip to Main Content

Search

Search

Select Language

0D54z00009oMsCCCA0Okta Classic EngineAuthenticationAnswered2024-05-01T14:53:36.000Z2023-11-02T14:59:26.000Z2023-11-09T16:47:51.000Z

OktaapiS.13210 (Customer) asked a question.

November 2, 2023 at 2:59 PM

SAML Request Certificate Expiration Date

We have created several IdP servers in Okta to support our customers. We noticed that the metadata generated by Okta contains a cert that is untrusted. The cert has a long expiration date (i.e. 10 years) so it is not something to be concerned about right away. However, this cert will expire in about 4-5 years. When it does, all requests signed by this cert will likely fail on the customer side when they attempt the validate the SAML request (i.e. the AuthnRequest). I'm not seeing any way to manage this with our customers. My main question is: Does Okta simply generation new metadata with the new cert automatically? Note, when this happens it will need to be communicated to all. I do not see a clean way to exchange certs for multiple IdP customers at the same time on a given expiration date.

Authentication

Top Rated Answers

User16594883467582706479 (Customer Support Online Experience)
3 years ago
Hi, @OktaapiS.13210 (Customer)

Thank you for posting on our Community page!

Okta certificates renew automatically, so there are no actions needed from the Okta administrators. During the renewal process, there should be no service disruptions. If experience any issues prior to or after the certificate renewal, please contact Okta Support for immediate assistance.

https://support.okta.com/help/s/article/Okta-Certificate-will-expire-Does-the-Okta-admin-need-to-take-any-measure?language=en_US

Thank you for reaching out to our Community and have a great day!
_____________________________________________________________________________
What you missed: new product releases and other announcements
_____________________________________________________________________________
Community members help others by clicking Like or Select as Best on responses. Try it today.
_____________________________________________________________________________
Expand Post
Selected as Best

All Answers

User16594883467582706479 (Customer Support Online Experience)
3 years ago
Hi, @OktaapiS.13210 (Customer)

Thank you for posting on our Community page!

Okta certificates renew automatically, so there are no actions needed from the Okta administrators. During the renewal process, there should be no service disruptions. If experience any issues prior to or after the certificate renewal, please contact Okta Support for immediate assistance.

https://support.okta.com/help/s/article/Okta-Certificate-will-expire-Does-the-Okta-admin-need-to-take-any-measure?language=en_US

Thank you for reaching out to our Community and have a great day!
_____________________________________________________________________________
What you missed: new product releases and other announcements
_____________________________________________________________________________
Community members help others by clicking Like or Select as Best on responses. Try it today.
_____________________________________________________________________________
Expand Post
Selected as Best
- OktaapiS.13210 (Customer)
  3 years ago
  So, not quite sure I follow. If the cert changes, at the very least, I would need to communicate new metadata to the company/organization I've federated with the IdP. If there is any change to the existing Okta cert due to it expiring, that would change the metadata. Wouldn't it? I'm hopeful I can get more details to gain a better understanding of the process.
  Expand Post
OktaapiS.13210 (Customer)
3 years ago
So, not quite sure I follow. If the cert changes, at the very least, I would need to communicate new metadata to the company/organization I've federated with the IdP. If there is any change to the existing Okta cert due to it expiring, that would change the metadata. Wouldn't it? I'm hopeful I can get more details to gain a better understanding of the process.
Expand Post
- User16594883467582706479 (Customer Support Online Experience)
  3 years ago
  Hi, @OktaapiS.13210 (Customer)
  
  Thank you for posting on our Community page!
  
  Basically, SSO will work even if the certificate is expired, giving admins time to renew it.
  The new metadata will need to be added manually, there is no automated way to do it.
  
  Check these articles out for further info:
  https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Expiration-Reminder.html
  https://support.okta.com/help/s/article/saml-sso-working-even-if-the-idp-signature-certificate-is-expired?language=en_US
  
  Furthermore, you could also raise this as a feature request on our ideas.okta.com page.
  
  Thank you for reaching out to our Community and have a great day!
  _________________________________________________________________________
  What you missed: new product releases and other announcements
  _________________________________________________________________________
  Community members help others by clicking Like or Select as Best on responses. Try it today.
  _________________________________________________________________________
  Expand Post
  - OktaapiS.13210 (Customer)
    3 years ago
    Thank you again for you response. I want to make sure you have the proper context because I'm not sure you completely understand my question. I'm focused on understanding the process around certificate expiration specific to SAML IDP setup. We have several IDP's setup now, 1 for each company we do business with. There will be many more in the future. We noticed that the Okta generated SAML cert that we share with our member companies is exactly the same for each IDP. We share the public key with our members and this is also part of the metadata. The valid from date for this cert is Friday, April 26, 2019 3:54:32 PM and the valid to date is Thursday, April 26, 2029 3:55:32 PM , obviously also exactly the same. All certs will expire at the same time. I do understand that they will continue to work in an expired state. But, you sent me an article that states certificates renew automatically. Link: https://support.okta.com/help/s/article/Okta-Certificate-will-expire-Does-the-Okta-admin-need-to-take-any-measure?language=en_US
    
    If the Okta generated cert does change in some way "automatically" on some random date and time, this would be a different cert I would assume (and for all our IDPs). If the cert is different then SAML requests originating from our Okta SAML IDPs will be signed by the new cert. Our members will still have the old cert. Seems this would cause validation failures and our members (many of them/all of them) would be unable to authenticate. The problem is: How do we orchestrate exchanging the new certificate will many members at one time without downtime. I hope I've been more clear in my explanation. This seems like an issue unless we can have control over generating the new cert at a time of our own choosing and for each IDP.
    Expand Post

This question is closed.

Recommended content

Forum

IDP certificate expired but still Authentication works

Forum

Do Okta SAML Signing Certificates renew automatically?

Forum

Email Notification for IdP certs about to expire for SAML Apps

Forum

Does the SAML certificate for YardiOne expires?

Loading

SAML Request Certificate Expiration Date