UserLock Documentation
UserLock Documentation
You are here: Use cases > Implement Single Sign-On > Certificate Rollover

Certificate Rollover

The Saml certificate shared with SaaS applications will expire after a certain amount of months, depending on the duration that was chosen while activating the feature. Once the certificate has expired, it will not be possible to connect to any SaaS application, possibly administrators included, so it is extremely important to renew it in time.

UserLock SSO automatically renews this certificate one month before its expiration but there are some administration tasks to perform before it is effective as explained below. It is advised to perform these operations when users are less likely to logon to the SaaS applications as the federation may be briefly deactivated while renewing the certificate on the SaaS application side.

To view the video, please accept all cookies.


  1. A primary UserLock SSO server must already be configured.
  2. Recommended: Email notifications are configured in UserLock.

Installation :

  1. This feature is accessible from UserLock 11.1
  2. UserLock SSO functionality is not part of the standard installation process, you must choose Custom installation and select the UserLockSSO function.


During the month preceding the expiration of the Saml certificate, an alert is visible in Single sign-on (SSO) -> Settings section of the UserLock console.
Certificate Rollover - settings
Exactly one month before the expiration, a new certificate is generated automatically and a notification is sent to the administrator (email notifications must be configured in UserLock)
Certificate Rollover - Notifications


Please note! The following two operations must be carried out within a short timeframe, because once the certificate has been updated, no user (including administrators) on the federated domain will be able to connect to any SaaS application. For this reason, it's best to start this procedure when users are less likely to be using these applications.

  1. Open the administration console for each SaaS application (or launch the Microsoft 365 configuration tool and skip the authentication step): this is necessary once the certificate has been updated in step 2, as indicated in the warning above.
  2. Apply the new UserLock SSO Saml certificate: to do this, an administrator must click on the Use new certificate button, then restart the UserLock SSO service from the UserLock console.
    Certificate Rollover - Certificate
  3. Update the Saml certificate for each SaaS application

Some SaaS providers allow administrators to connect without using federation. This avoids any problems with the certificate and is therefore less risky. Nevertheless, please follow the above procedure with care to avoid any problems.