After IDP certificate change - SSO login failsIssue <!-- div.margin { padding: 10px 40px 40px 30px; } table.tocTable { border: 1px solid; border-color: #e0e0e0; background-color: #fff; } .title { color: #d1232b; font-weight: normal; font-size: 28px; } h1 { color: #d1232b; font-weight: normal; font-size: 21px; margin-bottom: 5px; border-bottom-width: 2px; border-bottom-style: solid; border-bottom-color: #cccccc; } h2 { color: #646464; font-weight: bold; font-size: 18px; } h3 { color: #000000; font-weight: bold; font-size: 16px; } h4 { color: #666666; font-weight: bold; font-size: 15px; } h5 { color: #000000; font-weight: bold; font-size: 13px; } h6 { color: #000000; font-weight: bold; font-size:14px; } ul, ol { margin-left: 0; list-style-position: outside; } --> SSO users failed to login into the instance after IDP certificate change. ReleaseAll versionsCauseFrom the System log > ALL , We see the below certificate error 2019-06-13 02:07:24 (565) Default-thread-14 8CFD09C9DBCEB3C0918D567B4B961969 txid=ddfdcdc9dbce SEVERE *** ERROR *** SAML2: javax.security.cert.X509Certificate.getInst(X509Certificate.java:241)javax.security.cert.X509Certificate.getInstance(X509Certificate.java:200)sun.reflect.GeneratedMethodAccessor1551.invoke(Unknown Source)sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)java.lang.reflect.Method.invoke(Method.java:498)org.mozilla.javascript.MemberBox.invoke(MemberBox.java:138)org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:292)org.mozilla.javascript.ScriptRuntime.doCall(ScriptRuntime.java:2585)org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32)org.mozilla.javascript.gen.sys_script_include_5cfc38231b00200000009141be0713ef_script_1123._c_anonymous_22(sys_script_include.5cfc38231b00200000009141be0713ef.script:529)org.mozilla.javascript.gen.sys_script_include_5cfc38231b00200000009141be0713ef_script_1123.call(sys_script_include.5cfc38231b00200000009141be0713ef.script)org.mozilla.javascript.ScriptRuntime.doCall2(ScriptRuntime.java:2651)org.mozilla.javascript.ScriptRuntime.doCall(ScriptRuntime.java:2590)org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32)org.mozilla.javascript.gen.sys_script_include_5cfc38231b00200000009141be0713ef_script_1123._c_anonymous_24(sys_script_include.5cfc38231b00200000009141be0713ef.script:665)org.mozilla.javascript.gen.sys_script_include_5cfc38231b00200000009141be0713ef_script_1123.call(sys_script_include.5cfc38231b00200000009141be0713ef.script)org.mozilla.javascript.ScriptRuntime.doCall2(ScriptRuntime.java:2651) Go to the Certificate that was added to the IDP record and check PEM Certificate It should be in the below format. -----BEGIN CERTIFICATE-----MIIEYzCCAkugAwIBAgIDIAZmMA0GCSqGSIb3DQEBCwUAM........-----END CERTIFICATE----- ResolutionConfirm the certificate has right format.Related LinksKB0691439 - Replacing an expiring SAML certificate