SAML Certificate
Your SAML applications use X.509 certificates to confirm the authenticity and integrity of messages shared between the Identity Provider (IdP) and the Service Provider (SP).
As a Super administrator, you can use the Admin console to:
- Easily view the X.509 certificates in use by your SAML applications
- Identify the X.509 certificates that are about to expire
Create new certificates and assign them to your SAML applications. This is called certificate rotation.
Why rotate SAML certificates?
X.509 certificates have a five-year lifetime. You should rotate a certificate if it's about to expire, or if it becomes compromised. If a certificate expires before you rotate it, your users won't be able to use SSO to sign in to any SAML applications that use that certificate until you replace it with a new certificate.
Before the expiration of your default certificate, add a second certificate with a new 5-year lifespan, then switch your apps from the expiring certificate. Having two valid certificates allows you to switch some apps over to the new certificate as a test, without affecting apps that are still using the older certificate. When you've moved all apps over to the new certificate, you can delete the old certificate.
Important: After assigning a new certificate to a SAML app in the Admin console, you also need to update the corresponding SP side SSO configuration with the new certificate, or SSO with the app will fail.
How to Manage SAML Certificates?
Your account has one default certificate you can use for all your SAML apps. You can add a second certificate, or delete one or both certificates and generate new certificates:
- Sign in to the Google Admin console with the Super administrator account.
- In the Admin console, go to Menu> Security> Authentication> SSO with SAML applications.
The Certificates section shows the current X.509 certificates. The certificate name, expiration date, contents, and SHA-256 fingerprint are shown. Use the buttons at the right to copy, download, or delete a certificate.
- (Optional) If you have only one certificate, click Add another certificate to create a second certificate.
Note: The most recently generated (newest) certificate becomes the default certificate used to set up SSO for new SAML apps.
- To Delete a certificate
- Click Delete certificate. Deleting a certificate has these results:
- If you have one certificate, a new certificate is automatically generated to replace it.
- if you have two certificates and delete certificate 1, certificate 2 replaces certificate 1.
If the certificate you're deleting is used by any installed SAML apps, a window lists the affected apps, and warns you that SSO with the app will be unavailable until you assign a new certificate to those apps.
Tip: SAML certificate events (deletion, creation, changing a SAML app's assigned certificate) are logged in the Admin audit log.
Update the certificate used by a SAML application
If you replace a certificate used by any of your SAML apps, follow the steps below to assign the new certificate to the affected apps. You'll also need to update the certificate in the SSO settings for those apps on the SP’s administrative website.
- In the Admin console, go to Menu > Apps > Web and mobile apps.
- Click the SAML app to open its Settings page.
- Click Service Provider details.
Under Certificate, the current certificate used by the app is shown, including the certificate ID and expiration date. If you deleted the certificate that was initially used to set up the app, you'll see the warning No certificate assigned. - Click the Down arrow and choose a certificate.
- (Optional) If there's no other certificate available, or you need to create new certificates, click Manage Certificates and follow the instructions in Manage SAML Certificate above.
- After changing the certificate assigned to the SAML app, make sure to also update the app's SSO configuration with the new certificate on the Service Provider's website. SSO with the SAML app won't work until the SP-side configuration is also updated.
Important: After you replace a certificate, it may take up to 24 hours for the new certificate to be available for use by your SAML applications.
Please check the supporting article for reference.