Wdesk has the ability to hold and check against two SAML X509 Signing Certificates simultaneously to create a smooth transition. These steps will guide you through updating your Single Sign-On
Changing a Certificate
1. Log into your Organization Admin to access the Security features.
2. Click on Security and then Single Sign-On.
3. Under SAML Settings review your settings to confirm if Require SAML Single Sign-On for Users is checked.
If not checked, follow step 5.
4. Uncheck Require SAML Single Sign-On for Users and click Save Changes.
5. Go to IdP Settings where the X509 Certificates are held and copy the text contents of your
Certificate and paste the information into the Alternate Certificate field.
6. Go to the new X509 Certificate and paste it into the Certificate field. Workiva should now have both the old and new X509 Certificates.
7. Test SSO and afterwards navigate to the Activity Log to verify if the new SAML Certificate is being
- If the "Assertion validated using alternate X.509 certificate" message appears, Workiva is still receiving the old SML Certificate from the Identity Provider.
- If the log shows a successful attempt without the "Assertion validated using alternate X.509
certificate" message, it is now validating against the new SAML Certificate.
- If SSO fails, Workiva is receiving a different certificate than what is stored in the account.
8. Click on SAML Settings and then Require SAML Single Sign-On for Users.