Maintain SAML certificates

Your SAML applications use X.509 certificates to confirm the authenticity and integrity of messages shared between the Identity Provider (IdP) and the Service Provider (SP). As a Super administrator, you can use the Admin console to:

  • Easily view the X.509 certificates in use by your SAML applications
  • Identify the X.509 certificates that are about to expire
  • Create new certificates and assign them to your SAML applications. This is called certificate rotation.

Why rotate SAML certificates?

X.509 certificates have a five-year lifetime. You should rotate a certificate if it's about to expire, or if it becomes compromised. If a certificate expires before you rotate it, your users won't be able to use SSO to sign in to any SAML applications that use that certificate until you replace it with a new certificate. 

After creating a new certificate, you need to assign it to each of your SAML applications in Google (IdP side), and also update the corresponding SP side SSO configuration with the new certificate.

Manage SAML certificates

Your account has one default certificate you can use for all your SAML apps. You can add a second certificate, or delete one or both certificates and generate new certificates:

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenSet up single sign-on (SSO) for SAML applications.

    You must be signed in as a super administrator for this task.

    The Certificates section shows your current X.509 certificates. You can have up to 2 certificates at one time. The certificate name, expiration date, contents, and SHA-256 fingerprint are shown. Use the buttons at right to copy, download, or delete a certificate.

  3. (Optional) If you have only one certificate, click Add another certificate to create a second certificate.

    Note: The most recently generated (newest) certificate becomes the default certificate used to set up SSO for new SAML apps.

  4. (Optional) To create a new certificate:
    1. Click Delete Delete to delete a certificate.

      If the certificate you're deleting is used by any installed SAML apps, a window lists the affected apps, and warns you that SSO with the app will be unavailable until you assign a new certificate to those apps.

    2. Click Delete certificate. Deleting a certificate has these results:
      • If you have one certificate, a new certificate is automatically generated to replace it.
      • if you have two certificates and delete certificate 1, certificate 2 replaces certificate 1.
  5. If you replaced a certificate used by any of your SAML apps, follow the steps in the next section to assign the new certificate to the affected apps. You'll also need to update the certificate in the SSO settings for those apps on the SP’s administrative website.

Tip: SAML certificate events (deletion, creation, changing a SAML app's assigned certificate) are logged in the Admin audit log.

Update the certificate used by a SAML application

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenWeb and mobile apps.

  3. Click the SAML app to open its Settings page.
  4. Click Service provider details.

    Under Certificate, the current certificate used by the app is shown, including certificate ID and expiration date. If you deleted the certificate that was initially used to set up the app, you'll see the warning No certificate assigned

  5. Click the Down arrow Down Arrow and choose a certificate.
  6. (Optional) If there's no other certificate available, or you need to create new certificates, click Manage certificates and follow the instructions in Manage SAML certificates above.
  7. After changing the certificate assigned to the SAML app, make sure to also update the app's SSO configuration with the new certificate on the Service Provider's website. SSO with the SAML app won't work until the SP-side configuration is also updated. 
Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue