UserLock Documentation
UserLock Documentation
You are here: Use cases > Implement Single Sign-On > Certificate Rollover

Certificate Rollover


  1. A primary UserLock SSO server must already be configured.
  2. Recommended: Email notifications are configured in UserLock.

Installation :

  1. This feature is accessible from UserLock 11.1
  2. UserLock SSO functionality is not part of the standard installation process, you must choose Custom installation and select the UserLockSSO function.

Configuration :

  1. During the month preceding the expiration of the Saml certificate, an alert is visible in Single sign-on (SSO) -> Settings section of the UserLock console.
    Certificate Rollover - settings
    Exactly one month before the expiration, a new certificate is generated automatically and a notification is sent to the administrator (email notifications must be configured in UserLock)
    Certificate Rollover - Notifications
  2. To apply the certificate, an administrator must click the Use new certificate button and then restart the UserLock SSO service from the UserLock console.
    Certificate Rollover - Certificate
  3. After this operation, all SaaS applications will need to be updated with the new certificate, otherwise users will not be able to connect to the applications. For this reason, it is best to start this procedure when users are least likely to sign in to SaaS applications.

As long as the new certificate is not applied, the previous certificate will remain active.
The service must be restarted on all Backup UserLock SSO servers after renewal for the new certificate to be taken into account.