How to safely self-update your IDP certificate when Multi SSO and avoid "IDP Certificate Mismatch" from occurringIssue Several Identity providers (IdP) servers (for example, ADFS) could change the active certificates 2-4 weeks before the certificate expires, causing alerts and authentication errors on your Multi-SSO configuration. Once the certificate changes, you will need to update all the instances to avoid SSO authentication errors when users are trying to log in. Symptoms You know you can self update your SSO certificates because You have the Multi SSO plugin installed.Your IdP metadata URL is accessible from the instance.Users received an error message when trying to log in and they are sent to a logout page.System logs show an "IDP Certificate Mismatch" error when users are trying to log in.Once the instance SAML certificate is updated by the one provided by the IDP, the users are able to log in once again.CauseYour Idp has changed the signing certificate and the instance can not confirm the SAML requests received from the IdP.ResolutionFrom the Kingston release, there is a scheduled job "Refresh MultiSSO IDP Metadata" that could fetch the IdP metadata from the IdP metadata URL set on the IdP record and update its certificates automatically. To allow the system to automatically refresh the certificates from the IdP metadata, you need to ensure the Idp metadata URL is accessible from the instance. If that is not the case, you will need to continue updating the certificate manually every time the Idp changes them.If you have an accessible metadata URL, you need to perform the followings: Open the IdP record on the list view (NOT from the menu named Identity providers but on the SAML2 table):e.g. <instance>/saml2_update1_properties_list.do?sysparm_query=Ensure the IDP is active and set the "IDP Metadata URL" (saml2_update1_properties.idp_metadata_url) to the URL that point to the IDP metadata (which contains the signing certificates).For ssocircle it's "https://idp.ssocircle.com/"Ensure the Scheduled Script Executions "Refresh MultiSSO IDP Metadata" is active and running every 30 minutes:<instance>/sysauto_script_list.do?sysparm_query=name%3DRefresh%20MultiSSO%20IDP%20MetadataValidate the scheduled job is executing correctly. You will see the certificates are updated every 30 minutes. Note: The update could retrieve both your encryption and signing certificates. However, Multi SSO only uses the signing certificates. Related LinksThese are a few references regarding the IdP metadata URLs: For SSO Circle, the metadata is found here: https://idp.ssocircle.com/For OKTA, the generic format of the SAML metadata url is: https://[okta_org_url].okta.com/app/[app_id]/sso/saml/metadataFor ADFS, the metadata is usually on https://<adfs URL>/FederationMetadata/2007-06/FederationMetadata.xmlFor Azure, https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml Please contact your IdP administrators to validate the correct metadata URL required.