Maintain SAML certificates
Your SAML applications use X.509 certificates to confirm the authenticity and integrity of messages shared between the Identity Provider (IdP) and the Service Provider (SP). As a Super administrator, you can use the Admin console to:
- Easily view the X.509 certificates in use by your SAML applications
- Identify the X.509 certificates that are about to expire
- Create new certificates and assign them to your SAML applications
This is called Certificate Rotation.
Why rotate SAML certificates?
You rotate a certificate because it's about to expire, or it was compromised for any reason. If the SP also supports multiple SAML certificates, rotating certificates this way can prevent unplanned downtime due to certificates expiring. If not, there's downtime while the certificate change is updated in the SP and then in the IdP.
X.509 certificates have a five-year lifetime. When the X.509 certificate associated with an application expires, your users won't be able to sign-in to that application using SAML-based single sign-on (SSO).
Create a new X.509 certificate before your active SAML certificate is due to expire. Assign this new certificate to each of your SAML applications and update their configuration on the SP’s administrative website.
Set up and manage SAML certificatesStep 1: Create and update SAML certificates in the Setup SSO with Google identity provider section
Your account has one default certificate you can use for all your SAML apps. If you’d like to change the certificate or rotate already linked certificates, here's how you create a new set of X.509 certificates:
From the Admin console Home page, go to Security, and then the SSO settings:
You must be signed in as a super administrator for this task.
Click Set up single sign-on (SSO) for SAML applications.
Or, if you don’t have that option:
Click Set up single sign-on (SSO).
- Under Setup SSO with Google identity provider, next to Certificate 1, click Generate certificate.
Once you've generated a certificate, the certificate file name appears next to the Certificate 1 label, with the expiration date under the file name.
- (Optional) Under Setup SSO with Google identity provider, next to Certificate 2, click Generate certificate.
Once you've generated a certificate, the certificate file name appears next to the Certificate 2 label, with the expiration date under the file name.
- Now that you've generated your certificates, proceed to the next sections to manage your certificates for your custom SAML apps or your pre-configured SAML apps.
From the Admin console Home page, go to Apps SAML apps.
To see Apps on the Home page, you might have to click More controls at the bottom.
- Click the Add a service/App to your domain link, or in the bottom corner, click Add .
- Click Setup my own custom App.
The Google IDP Information window opens and the Single Sign-On URL and the Entity ID URL fields automatically populate.
- Collect the service provider Setup information:
- Copy the Entity ID and the Single Sign-On URL field values and download the X.509 Certificate.
- Paste those values into the appropriate service provider Setup fields.
- Click Next.
- If the certificate is expired, click Manage certificates to update the X.509 certificate.
If you opt to create 2 certificates, the latest will be used by default.
- Proceed to Step 4 to delete and then replace any expiring or compromised certificates for your custom SAML apps.
- Configure the selected application as a SAML SP.
- For an application with no certificate, under Service Provider Details, click Generate certificate.
Once you've generated a certificate, it appears in the Google IDP Information window for each SAML app you configure, with the expiration date under the file name.
For active pre-configured cloud applications, there is a manage certificates link.
- Click manage certificates and the manage Identity Provider certificates subwindow opens.
There are entries for 2 certificates. Once you've generated a certificate, it appears with the expiration date next to the file name.If you opt to create 2 certificates, the latest will be used by default.
- Proceed to the next section to delete and then replace any expiring or compromised certificates for your custom SAML apps or your pre-configured SAML apps.
- Next to any certificate you choose, click the delete icon to replace it.
If you delete a certificate that's in use by an active SAML app, a subwindow displays the number of SAML apps affected by the pending removal.
The SAML apps that use the deleted certificate are down while the certificate is updated in the SP and then the IdP.
- Click Yes to delete the certificate.
- Next to the entry with no certificate, click Generate certificate.
- Under Service Provider Details, select the down arrow next to the Certificate field to expose both certificates.
- Choose a certificate.
You need to do this for each of your affected SAML applications one by one and update their configuration on the SP’s administrative website.
- Click Save.
Changes to the SAML certificates are logged in the Admin audit log.