Update a SAML certificate

Tip

Unlike SAML, Open ID Connect (OIDC) connections do not rely on temporary certificates. Consider using OIDC instead if you prefer to avoid updating certificates.

SAML certificates expire over time, so to make sure the access to a specific connection is not interrupted, pay attention to when the associated certificate is due to expire and renew it when necessary. You can then update your connection with the relevant metadata in Sitecore Cloud Portal.

Before you begin

  • If your identity provider (IdP) only supports one certificate at a time:

    • We strongly recommend you establish a maintenance window for all team members that connect via the affected SAML connection. This helps to ensure nobody's work is interrupted when you revoke the existing certificate. You can then update the certificate in Cloud Portal during the maintenance window while nobody needs to log in.

    • Before you renew the certificate with your IdP, deactivate the SAML connection. When you do this, logging in to the Cloud Portal will require a Sitecore Cloud Portal account, associated with your SSO email address, that has the Organization Admin or Organization Owner role.

    • If your Sitecore Cloud Portal credentials have expired, reset them via email.

  • If your IdP supports multiple certificates at a time, plan to create the new certificate before you revoke the old one. This ensures that the connection always has at least one valid certificate.

To update a SAML certificate in Cloud Portal:

  1. Renew the certificate according to the instructions provided by your IdP.

    For example, Ping Identity provides instructions for updating a signing certificate, which will create the necessary metadata to update your connection.

  2. Copy the metadata (including the renewed certificate) from your IdP.

  3. Navigate to the Sitecore Cloud Portal SSO page.

    Important

    If you're carrying out this work during a scheduled maintenance window while there is no active certificate, you'll need to deactivate the SAML connection and then log in using Sitecore credentials instead of SAML.

  4. Next to the SAML connection you want to update, click Configure.

  5. In Step 2: Add the identity provider metadata, paste the updated metadata in the field provided.

    Tip

    If you're using a metadata URL and the URL hasn't changed, you can skip this step.

  6. Click Save.

    If you're using the Metadata URL option, saving the connection will fetch the latest metadata (including the new certificate) from your IdP, even if the URL has not changed.

  7. If you deactivated the SAML connection as part of a planned maintenance window, reactivate it to enable team members to use it again.

Do you have some feedback for us?

If you have suggestions for improving this article,