Skip to main content
SAML SSO : Update an expired security certificate
Updated over a year ago

Update an expired SAML SSO security certificate

When setting up a SAML connector for your organisation, your connector is automatically assigned a security certificate by your Identity Provider (Okta, OneLogin, Azure…).

These certificates last for a number of years, after which you’ll need to generate a new one.

Prerequisites

Once you activate a new certificate, it will mean that your colleagues will be unable to log into Spendesk using SAML until the certificate has been uploaded with us. As such, it’s worth contacting your account manager to arrange a time to do this together, in order to minimise downtime for your users.

If SAML isn’t enforced with your organisation, your users have the possibility to use an alternative means of login (password, simple SSO) during this downtime, if they’ve set it up beforehand.

The entire process, from generating a new certificate, to uploading it with Spendesk, will only take a couple of minutes if you correctly organise it with your account manager.

Creating a new certificate

Okta

Log into your Okta admin account and select your Spendesk integration from the Applications side menu.

Click on the Sign On tab, then scroll down to SAML Signing Certificates.

Click on Generate new certificate, then in the Actions dropdown on the right, click Activate.

Once the new certificate is active, your users won’t be able to log into Spendesk until it’s uploaded with us.

If you wish, you can delete the old certificate by using the same menu and Delete at the bottom.

OneLogin

Log into your OneLogin admin account and select Certificates from the Security tab.

Select New in the top right-hand side of the page.

Enter the details for your new certificate, then click Save in the top right. We recommend at least SHA256 as the signature type.

If you wish - and as long as it’s not used by another integration - you can delete the old one by clicking on it, then using the Delete button on the right.

You can set this new certificate as your default, which would apply to all of your OneLogin integrations, but if you only want to apply it to the Spendesk integration, go to it from the Applications tab.

Click on SSO on the left, then Change on the X.509 Certificate section.

Select your new certificate in the drop down on the dialog that shows up, then click on Continue.

Once the new certificate is active, your users won’t be able to log into Spendesk until it’s uploaded with us.

Azure and others

Log into your Identity Provider, select your Spendesk integration, then click on Single Sign-on. In Azure, your integration can be found under Home > Enterprise applications.

Click on the Edit button to modify the SAML Certificates.

Click to generate a New Certificate.

Click on the three dots beside your inactive certificate and select Make certificate active.

Once the new certificate is active, your users won’t be able to log into Spendesk until it’s uploaded with us.

If you wish, you can delete the old one by using the same menu and Delete Certificate at the bottom.

Upload your new certificate with Spendesk

Before your users can login again using SAML, your new certificate needs to be uploaded to Spendesk. Your account manager can help coordinate with this to minimise downtime.

Okta

Still in the Sign On section, find your Metadata URL and copy it.

Send it to your account manager so they can upload it to Spendesk.

Once that’s done, your users can re-use SAML to log into Spendesk.

OneLogin

Still on your Spendesk application, use the More Actions menu in the top right to download your SAML Metadata XML file.

Once it’s downloaded, send it to your account manager so they can upload it to Spendesk.

Once that’s done, your users can re-use SAML to log into Spendesk.

Azure and others

Still in the Single Sign-on section, find your Federation Metadata XML and download it.

Once it’s downloaded, send it to your account manager so they can upload it to Spendesk.


👍 Once that’s done, your users can re-use SAML to log into Spendesk.

Did this answer your question?