Search
Clear search
Close search
Google apps
Main menu

Maintain SAML certificates

Your SAML applications use X.509 certificates to confirm the authenticity and integrity of messages shared between the Identity Provider (IdP) and the Service Provider (SP). As a Super administrator, you can use the Admin console to:

  • Easily view the X.509 certificates in use by your SAML applications
  • Identify the X.509 certificates that are about to expire
  • Create new certificates and assign them to your SAML applications
    This is called Certificate Rotation.

Why rotate SAML certificates?

You rotate a certificate because it's about to expire, or it was compromised for any reason. If the SP also supports multiple SAML certificates, rotating certificates this way can prevent unplanned downtime due to certificates expiring. If not, there's downtime while the certificate change is updated in the SP and then in the IdP.

X.509 certificates have a five-year lifetime. When the X.509 certificate associated with an application expires, your users won't be able to sign-in to that application using SAML-based Single Sign-On (SSO).

Create a new X.509 certificate before your active SAML certificate is due to expire. Assign this new certificate to each of your SAML applications and update their configuration on the SP’s administrative website.

Set up and manage SAML certificates

Step 1: Create and update SAML certificates in the Setup SSO with Google identity provider section

Your account has one default certificate you can use for all your SAML apps. If you’d like to change the certificate or rotate already linked certificates, here's how you create a new set of X.509 certificates:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Security and then Set up single sign-on (SSO).

    To see Security, you might have to click More controls at the bottom. 

  3. Under Setup SSO with Google identity provider, next to Certificate 1, click Generate certificate.
    Once you've generated a certificate, the certificate file name appears next to the Certificate 1 label, with the expiration date under the file name.
  4. (Optional) Under Setup SSO with Google identity provider, next to Certificate 2, click Generate certificate.
    Once you've generated a certificate, the certificate file name appears next to the Certificate 2 label, with the expiration date under the file name.
  5. Now that you've generated your certificates, proceed to the next sections to manage your certificates for your custom SAML apps or your pre-configured SAML apps. 
Step 2: Manage certificates linked to your own SAML applications
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Apps and then SAML Apps.

    To see Apps on the dashboard, you might have to click More controls at the bottom. 

  3. Click the Add a service/App to your domain link, or in the bottom corner, click Add Add.
  4. Click Setup my own custom App.

    The Google IDP Information window opens and the Single Sign-On URL and the Entity ID URL fields automatically populate.
  5. Collect the service provider Setup information:
    1. Copy the Entity ID and the Single Sign-On URL field values and download the X.509 Certificate.
    2. Paste those values into the appropriate service provider Setup fields.
    3. Click Next.
  6. If the certificate is expired, click Manage certificates to update the X.509 certificate.
    If you opt to create 2 certificates, the latest will be used by default.
  7. Proceed to Step 4 to delete and then replace any expiring or compromised certificates for your custom SAML apps.
Step 3: Create and manage certificates linked to your pre-configured cloud applications
  1. Configure the selected application as a SAML SP.
  2. For an application with no certificate, under Service Provider Details, click Generate certificate

    Once you've generated a certificate, it appears in the Google IDP Information window for each SAML app you configure, with the expiration date under the file name.

    For active pre-configured cloud applications, there is a manage certificates link. 
  3. Click manage certificates and the manage Identity Provider certificates subwindow opens.

    There are entries for 2 certificates. Once you've generated a certificate, it appears with the expiration date next to the file name.If you opt to create 2 certificates, the latest will be used by default.
  4. Proceed to the next section to delete and then replace any expiring or compromised certificates for your custom SAML apps or your pre-configured SAML apps.
Step 4: Delete and replace expiring or compromised certificates
  1. Next to any certificate you choose, click the delete icon Delete to replace it.

    If you delete a certificate that's in use by an active SAML app, a subwindow displays the number of SAML apps affected by the pending removal.

    The SAML apps that use the deleted certificate are down while the certificate is updated in the SP and then the IdP.
  2. Click Yes to delete the certificate.
  3. Next to the entry with no certificate, click Generate certificate
  4. Under Service Provider Details, select the down arrow Down Arrow next to the Certificate field to expose both certificates.
  5. Choose a certificate.

    You need to do this for each of your affected SAML applications one by one and update their configuration on the SP’s administrative website.
  6. Click Save.

Changes to the SAML certificates are logged in the Admin audit log.

Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.