Replacing an expiring SAML certificateIssue This article outlines the steps to replace an expiring SAML certificate and remove the old certificate once it has expired. Typically, an administrator will be informed of the Identity Provider certificate expiring 2 - 4 weeks before the actual expiration date. At this time, the new certificate on the Identity Provider system is created and can be imported into the ServiceNow system. General Procedure The following procedure is used for Multi-Provider SSO, if you are still using SAML 2.0 Update 1, please upgrade to Multi-Provider SSO as soon as possible. Replacing the certificate is done in three general steps: Create the new certificate. Add the certificate to the Identity Provider record. Remove the old certificate after it has expired Repeat these steps every time a certificate is about four weeks from its expiration date. Detailed Procedure Create the new certificate. Contact your IdP (Identity Provider) administrator to provide you the new certificate in .pem format. If any other format is provided, convert the file to .pem format. Third-party sites are available online to accomplish this type of conversion. You can recognize a pem-formatted certificate by opening it in a text editor. Copy the content of the text file, including the BEGIN CERTIFICATE and END CERTIFICATE headings, but without any leading or trailing line feeds. -----BEGIN CERTIFICATE-----...-----END CERTIFICATE----- In the browser window for your ServiceNow instance, go to Multi-Provider SSO and go to the X.509 certificate module. Click New to create a new certificate. Give the certificate a name. Consider including the expiration year in the name for easier searchability. Paste the information including the BEGIN CERTIFICATE and END CERTIFICATE headings into the PEM certificate field and save the record. You should see the expiration information as well as general information on the certificate displayed at this time. This will indicate that the certificate is valid. Add the certificate to the Identity Provider record Navigate to Multi-Provider SSO > Identity Providers. Select the active default identity provider for which you created the new certificate. Scroll until you see the "X.509 certificates" related list and click the Edit button. Move the newly created certificate from the left to the right, leaving the current certificate on the right (selected) side. Click Save. You will now have both the old and the new certificate associated to your IdP record. A few weeks after these steps have been completed, the old certificate will have passed its expiration date. There was no outage or procedure required on the date of the actual expiration because the system automatically checks all certificates related to the IdP record against the signature in the SAML response. Remove the old certificate after it has expired. Once the expiration date for the old certificate has passed, go to Multi-Provider SSO and go to the X.509 certificate module. Search for the certificate(s) that have an expiration date in the past, and change the active flag to false. Navigate to Multi-Provider SSO > Identity Providers. Select the active default identity provider that used the expired certificate. Scroll until you see the X.509 certificates related list and click the Edit button. Move the expired certificate from the right to the left, leaving the current (new) certificate on the right (selected) side. ReleaseHelsinki and newerRelated LinksStarting in the Jakarta version, the ServiceNow instance can be configured to automatically query the IdP for SAML certificates. As noted in the product documentation topic Create a SAML 2.0 configuration using Multi-Provider SSO, the IdP properties import from the URL set in the configuration Advanced tab in the field Metadata URL from which IDP properties are imported. If set, it enables the automatic import of SAML certificate from the IdP if the previous certificate has expired. Note: If you upgrade from SAML2 Update 1 to Multi-Provider SSO or if you manually set up your SSO connection, the IdP Metadata URL does not automatically populate.