Certificate renewal for SAML SSO can be done easily within the Alloy dashboard. Follow these steps to renew your certificate:
1. With your IdP service, activate the new certificate first before downloading any files
2. Export the SAML metadata XML after activation to ensure the XML contains the active certificate
3. In Alloy, navigate to Settings → Authentication
4. Select Edit Auth Configuration from the Auth Configuration menu
5. Follow the steps to upload the new metadata XML file to replace the existing SAML configuration
Critical Note: Certificate Order in Metadata XML
Alloy parses the metadata XML file from top to bottom and stores the first certificate it finds. If your metadata XML includes multiple certificates (both inactive and active), ensure the active certificate appears first in the file.
If the first certificate in the XML is expired or inactive, SSO login will fail with signature validation errors. To avoid this:
- Verify the first certificate listed in your metadata XML is the active one
- If necessary, manually edit the XML to remove expired or inactive
<ds:KeyDescriptor>signing blocks before uploading
For detailed SAML configuration instructions, see How to Configure SAML SSO.
Comments
0 comments
Please sign in to leave a comment.