Manage SAML VPN Service Provider Certificate Rotation

Secure Access manages the expiration of service provider certificates for various connection methods and SAML IdP integrations. Service provider certificates are used to establish the trust relationship between the service provider and the IdP. The IdP authenticates users that connect to Secure Access with Virtual Private Networks (VPNs) with a configured VPN profile.

When Secure Access retires a service provider certificate, you need to rotate the service provider certificate used by your identity provider (IdP) to ensure admins and end users maintain successful access to applications.

Note: You must download the new Service Provider certificate, update your IdP with this new certificate, and activate the certificate within 24 hours before the current certificate expires. Failure to do this will result in SAML user authentication and connection failures.

Table of Contents

• Prerequisites
• Procedure
  • View Notifications About Expired Service Provider Certificates
  • Activate a New VPN Service Provider Certificate

Prerequisites

• Full Admin user role. For more information, see Manage Accounts.
• An integration of an SAML IdP with Secure Access. For more information, see Configure Integrations with SAML Identity Providers and Manage Virtual Private Networks.

Procedure

• View notifications about the expiration of Secure Access certificates that are deployed in SAML IdP integrations and VPN Profiles.
• Identify those service provider certificates with pending expiration dates.

View Notifications About Expired Service Provider Certificates

1. Navigate to Secure > Certificates > SAML Authentication > Service Provider Certificates.

2. Secure Access displays any notifications about certificates that may expire. The certificate dashboard displays an alert icon next to certificates with a pending expiration date.

Activate a New VPN Service Provider Certificate

You must update your Identity Provider (IdP) with the new Service Provider certificate before making this certificate active. You cannot roll back to the old certificate.

1. Navigate to Secure > Certificates > SAML Authentication > Service Provider Certificates.

2. For the VPN Service Provider certificate, click Activate on the new certificate to launch the activation modal.

3. To activate a new VPN Service Provider certificate:

a. Click the Download link to download the new VPN Service provider certificate.

b. Update your IdP with this new certificate; see SAML Certificate Renewal Options for more information.

c. Check the box that confirms you uploaded the new certificate to your IdP.

d. Click Activate new certificate to confirm your choice.

📘

Important

You must update your IdP before activating the certificate. Failure to do this will result in SAML user authentication and connection failures.

4. Verify that the new certificate is Active in the VPN Service Provider certificates list.

Manage SAML Certificates for Service Providers < Manage SAML Certificate Rotation for Service Providers > Manage SAML Certificates for Identity Providers