icon-unified.svg
Experience Center

Managing a Service Provider Certificate Rotation

When a single sign-on (SSO) certificate is retired, you need to rotate the service provider certificate used by your identity provider (IdP) to ensure admins and end users maintain successful access to applications.

To make these changes, you need the relevant service provider metadata and certificate for your IdP. The service provider metadata and certificate information is specific to your IdP and the Single Sign-On selection made when configuring your IdP within the Admin Portal. You can access this information from the IdP Configuration page in the Admin Portal.

If the original IdP you configured is Azure or Okta, your IdP will download the latest certificate from Private Applications and rotate your account configuration automatically. No further action is required.

Use one of the following options to rotate a certificate:

    1. Go to Administration > Identity > Private Access > IDP Configuration.
    2. Locate the IdP configuration you want to modify within the table, and click the Edit icon.
    3. In the Edit IdP Configuration window, select a different service provider certificate for User SP Certificate Rotation or Admin SP Certificate Rotation.
    4. Click Save. The IdP automatically updates to use the new service provider certificate.
    Close
    1. Go to Administration > Identity > Private Access > IDP Configuration.
    2. Locate the IdP configuration you want to modify within the table, and click the Edit icon.
    3. In the Edit IdP Configuration window, select a different service provider certificate for User SP Certificate Rotation or Admin SP Certificate Rotation.
    4. Click Save.
    5. Locate the IdP you updated within the table, and expand the row to view the IdP details.
    6. Find the Service Provider URL, and click the Copy icon to copy the URL to your clipboard.

    Copy icon for Service Provider URL for an identity provider on the IdP Configuration page

    1. Go to your IdP and complete the following based on the IdP:
        1. Log in to your ADFS server.
        2. In the Windows server, go to Administrative Tools > ADFS Management to launch the ADFS management application.

        3. In the left-side navigation of the AD FS window, click the Relying Party Trusts folder.

          Selecting the Relying Party Trusts folder in the AD FS management window

        4. In the Relying Party Trusts panel, right-click the relying party trust for Private Applications (e.g., Private Applications or Private Applications Admin SSO), and click Properties. The Properties window appears.

          Select Properties in the AD FS management window for ADFS

        5. On the Monitoring tab, enter the URL you copied in step 6 above in the Relying party’s federation metadata URL: field.

          Adding a service provider URL on the Monitoring tab of the Properties window for ADFS

        6. Click Test URL and wait for a successful validation.
        7. Click OK, click Apply, and then close the Properties window.

        In certain scenarios, AD FS caches the expired certificate. Zscaler recommends deleting any expired certificates from the Relying Party Trusts panel after a new certificate is successfully updated.

        Close
        1. Log in to your IdP portal.
        2. Go to the applications section where the IdP for Private Applications resides.
        3. Select the IdP for Private Applications to update its configuration information.
        4. Enter the URL you copied in step 6 above.
        5. Save your changes.
        Close
    2. Test your logins to ensure SSO is working correctly.
    Close
    1. Go to Administration > Identity > Private Access > IDP Configuration.
    2. Locate the IdP configuration you want to modify within the table, and click the Edit icon.
    3. In the Edit IdP Configuration window, select a different service provider certificate for User SP Certificate Rotation or Admin SP Certificate Rotation.
    4. Click Save.
    5. Locate the IdP you updated within the table, and expand the row to view the IdP details.
    6. Find Service Provider Certificate, and click Download Certificate to download the certificate file for this IdP.

    Download Certificate button for Service Provider Certificate in the IdP Configuration page

    1. Go to your IdP and complete the following based on the IdP:
        1. Log in to your ADFS server.
        2. In the Windows server, go to Administrative Tools > ADFS Management to launch the ADFS management application.

        3. In the left-side navigation of the AD FS window, click the Relying Party Trusts folder.

          Selecting the Relying Party Trusts folder in the AD FS management window

        4. In the Relying Party Trusts panel, right-click the relying party trust for Private Applications (e.g., Private Applications or Private Applications Admin SSO), and click Properties. The Properties window appears.

          Select Properties in the AD FS management window for ADFS

        5. On the Signature tab, click Add.. and select the certificate downloaded in step 6 above.

          Click Add to select a service provider certificate

        6. Click OK, click Apply, and then close the Properties window.

        In certain scenarios, AD FS caches the expired certificate. Zscaler recommends deleting any expired certificates from the Relying Party Trusts panel after a new certificate is successfully updated.

        Close
        1. Log in to your IdP portal.
        2. Go to the applications section where the IdP for Private Applications resides.
        3. Select the IdP for Private Applications to update its configuration information.
        4. Enter the URL you copied in step 6 above.
        5. Save your changes.
        Close
    2. Test your logins to ensure SSO is working correctly.
    Close
Related Articles
About IdP ConfigurationIdP Configuration Best PracticesConfiguring an IdP for Single Sign-OnEditing an IdP ConfigurationManaging a Service Provider Certificate Rotation