Renew the SAML certificate

The SAML certificate is what establishes trust between UserLock SSO and your federated SaaS applications. It guarantees that authentication requests truly come from your UserLock server and that user logins remain secure.

This certificate has a limited lifetime and must be renewed before it expires.
If it is not renewed in time, all SSO access will stop working, users and administrators alike will be unable to sign in to any connected application until the certificate is replaced and the SSO service restarted.

This guide explains how to monitor, plan, and safely renew the SAML certificate using the UserLock Configuration Wizard.

You can monitor and manage the certificate lifecycle directly from the UserLock console or the Configuration Wizard.

The certificate status is displayed in:

• The UserLock console ▸ ⚙️ Server settings ▸ Single Sign-On

• The Configuration Wizard ▸ Single Sign-On

Each status indicates what action is required:

Exactly one month before expiration, UserLock automatically generates a new certificate in the background.

At this stage, renewal can be performed at any time in the UserLock Configuration Wizard.

If email notifications are configured, administrators automatically receive an alert when the new certificate becomes available, reminding them to complete the renewal before the existing one expires.

During the renewal process, SSO authentication is temporarily unavailable.
Users will not be able to sign in to any federated application until the new certificate is fully applied and the SSO service restarts.

For this reason, plan the renewal during a low-activity period, for example after hours or during scheduled maintenance.

This minimizes user disruption while ensuring the transition happens safely before expiration.

The SAML certificate renewal is performed entirely through the UserLock Configuration Wizard.

This guided workflow ensures that each step is completed in the right order to prevent accidental service interruption.

1. Open the UserLock Configuration Wizard on the server hosting the UserLock SSO service.

2. Go to Single Sign-On ▸ Modify.

   

   
   

3. From this screen, you can see the current SAML certificate status.

   → If a new certificate is available, click Renew the certificate to start the renewal process.

   

   
   

4. The wizard displays an overview of the upcoming steps.
   → Click Start to begin.

   

   
   

5. Before generating the new certificate, the wizard displays a reminder about the service impact.
   ⚠️ Click Generate the new certificate only when you’re ready to proceed with the next steps.
   

   

The wizard displays a list of all configured SaaS applications (for example : Google Workspace, Zendesk, Dropbox).

For each one:

1. Download or copy the new certificate displayed in the wizard.

2. Open the corresponding SaaS administration console.

3. Replace the existing SSO certificate with the new one.

4. Tick the checkbox in the wizard once the update is done.

Click on Next step once done.

If Microsoft 365 is among the configured applications, a dedicated screen appears automatically.

From this step:

1. Launch the Microsoft 365 Configuration Tool directly from the wizard.

2. Follow the guided process to update the federation and apply the new certificate.

3. Tick I've updated the Microsoft 365 certificate when the operation is complete.

4. Click Next step.

1. The wizard stops and restarts the service automatically. Once done, click Continue.

   

2. A confirmation screen then shows the new certificate expiration date. Click Continue.

   

3. The certificate status and date should be updated.

   

🎉️ You can now close the wizard, SSO logins for all users and applications are restored.