Workspace ONE Access → Okta Federation: Where to Update Metadata / Signing Certificate?

We are currently working through the Omnissa Workspace ONE Access branding / certificate migration and have an existing Okta‑federated SAML integration that has been in place for ~6–7 years.

This question is based on our ongoing support case with Omnissa:

Environment Overview

• IdP: Okta

• SP: Workspace ONE Access (formerly VMware, now Omnissa)

• Federation type: SAML (Okta → Workspace ONE Access)

• Integration is out‑of‑the‑box Okta app, configured many years ago

What Omnissa Is Asking Us To Do

Omnissa is instructing us to:

• Update SAML metadata and/or signing certificate

• Complete this as part of the Workspace ONE Access URL & certificate branding migration

• They specifically state this must be done for:

  1. Web App / Resource (SAML application)

  2. Identity Provider configuration

However, the guidance assumes Okta allows metadata or certificate updates in a way that we do not see in practice.

The Problem / Confusion

When we review the Workspace ONE Access application in Okta:

• There is no option to upload new metadata

• There is no option to update the IdP signing certificate

• The app only shows:

  • ACS / Entity ID URLs

  • Option to download the existing certificate (which is already loaded in WS1)

• The configuration appears locked / managed by the app template

Omnissa support is advising:

• “Provide new XML or certificate to Okta and update federation”

• But from the Okta admin UI, there is no obvious place to do this

Key Questions for the Okta Community

We are looking for Okta‑specific clarification:

1. For the Workspace ONE Access Okta app, where exactly is the signing certificate or metadata updated?

2. Is this:

  • A manual SAML app change?

  • A hidden app‑level certificate rotation?

  • Something that must be done via Okta Support / backend?

3. If Workspace ONE Access is acting as SP, does Okta require:

  • Creating a new SAML app?

  • Rotating the Okta org signing cert instead?

4. Has anyone completed the Omnissa WS1 Access certificate / domain migration using Okta and can confirm the exact Okta-side change?

What We’re Trying to Avoid

• Recreating the app and breaking device trust

• Unnecessary user re‑authentication

• Blind certificate changes without understanding the impact

Any guidance, screenshots, or real‑world examples from Okta admins who have completed this migration would be extremely helpful.

Thanks in advance!