Org Security Admins can follow the steps listed here to update the SAML Single Sign-On certificate. You have the ability to hold and check against two SAML X509 Signing Certificates simultaneously to create a smooth transition.
Change a certificate
To update a SAML Single Sign-On certificate:
- In Organization Admin, select Security in the left Nav area, and then and select Single Sign-On in the tab bar.
- Select Force SSO and exceptions.
- Clear (uncheck) Force users to sign in using SSO option, and click Save.
- Select SSO configuration, locate your desired configuration, and click Edit.
- Scroll down to the Identity Provider Metadata section, copy the contents of the Certificate field and paste that into the Alternate certificate field.
- Locate your new X509 Certificate and paste the certificate into the Certificate field. Workiva should now have both the old and new X509 Certificates.
-
After your identity provider has made the new SSO certificate active, validate that it is working. The activity log will show a successful SSO login. See View the SAML single sign-on activity log for instructions.
Tip: Have another user validate that SSO is working properly while the Org Security Admin stays logged in. This way, if the SSO is unsuccessful, the Org Security Admin will be able to make the necessary changes right away, and they won’t have to spend time logging back in to the Workiva platform with a password.
- Go back to the Force SSO and exceptions section, and re-check the Force users to sign in using SSO option. You will be prompted to confirm this change.
- To complete this procedure, click Save.