How to find the correct X509 certificate from SAML response


The purpose of this article is to provide useful troubleshooting steps for LDAP connectivity issues. The LDAP Server might suddenly lose connection after multiple attempts, causing updates interruption from the Active Directory import process.

One of the possible and most likely reasons is the X509 certificates defined in the instance do not match the ones coming in from the SAML response from the Identity Provider.

The steps below are required in order to retrieve the correct certificate value:

  1. Navigate to https://<instance>
  2. Set the list filter: Message starts with SAML Response xml
    • Ref.: https://<instance>
  3. Open the latest log record
  4. The correct certificate value is between xml tags <ds:X509Certificate> and </ds:X509Certificate>
  5. Copy this value, without the xml tags
  6. Navigate to https://<instance>
  7. Create a new certificate
  8. Fill up the required fields and paste the certificate value in the PEM Certificate box using this template:


<certificate value>


  1. Click Submit

The LDAP server should now connect again, and the import / update from the AD should work if the issue was an incorrect certificate.