UserLock Documentation
UserLock Documentation
You are here: Use cases > Implement Single Sign-On > Certificate Rollover

Certificate Rollover

The Saml certificate shared with SaaS applications will expire after a certain amount of months, depending on the duration that was chosen while activating the feature. Once the certificate has expired, it will not be possible to connect to any SaaS application, possibly administrators included, so it is extremely important to renew it in time.

UserLock SSO automatically renews this certificate one month before its expiration but there are some administration tasks to perform before it is effective as explained below. It is advised to perform these operations when users are less likely to logon to the SaaS applications as the federation may be briefly deactivated while renewing the certificate on the SaaS application side.

To view the video, please accept all cookies.


  1. A primary UserLock SSO server must already be configured.
  2. Recommended: Email notifications are configured in UserLock.

Installation :

  1. This feature is accessible from UserLock 11.1
  2. UserLock SSO functionality is not part of the standard installation process, you must choose Custom installation and select the UserLockSSO function.

Configuration :

  1. During the month preceding the expiration of the Saml certificate, an alert is visible in Single sign-on (SSO) -> Settings section of the UserLock console.
    Certificate Rollover - settings
    Exactly one month before the expiration, a new certificate is generated automatically and a notification is sent to the administrator (email notifications must be configured in UserLock)
    Certificate Rollover - Notifications
  2. To apply the certificate, an administrator must click the Use new certificate button and then restart the UserLock SSO service from the UserLock console.
    Certificate Rollover - Certificate
  3. After this operation, all SaaS applications will need to be updated with the new certificate, otherwise users will not be able to connect to the applications. For this reason, it is best to start this procedure when users are least likely to sign in to SaaS applications.

As long as the new certificate is not applied, the previous certificate will remain active.
The service must be restarted on all Backup UserLock SSO servers after renewal for the new certificate to be taken into account.