Rotate a SAML 2.0 certificate

You may need to import certificates periodically in order to rotate invalid or expired certificates issued by your identity provider. This helps to prevent authentication disruption or downtime. All imported certificates are automatically active. Certificates should only be deleted after ensuring that they are no longer in use with the associated identity provider.

You should also consider that some IdPs might not support multiple certificates. In this case, the act of rotating certificates with these IdPs might mean a temporary service disruption for your users. Service is restored when the trust with that IdP has been successfully reestablished. Plan this operation carefully during off peak hours if possible.

Note

As a security best practice, upon any signs of compromise or mishandling of an existing SAML certificate, you should immediately remove and rotate the certificate.

Rotating an IAM Identity Center certificate is a multistep process that involves the following:

Obtaining a new certificate from the IdP
Importing the new certificate into IAM Identity Center
Activating the new certificate in the IdP
Deleting the older certificate

Use all of the following procedures to complete the certificate rotation process while avoiding any authentication downtime.

Step 1: Obtain a new certificate from the IdP

Go to the IdP website and download their SAML 2.0 certificate. Make sure that the certificate file is downloaded in PEM encoded format. Most providers allow you to create multiple SAML 2.0 certificates in the IdP. It is likely that these will be marked as disabled or inactive.

Step 2: Import the new certificate into IAM Identity Center

Use the following procedure to import the new certificate using the IAM Identity Center console.

In the IAM Identity Center console, choose Settings.
On the Settings page, choose the Identity source tab, and then choose Actions > Manage authentication.
On the Manage SAML 2.0 certificates page, choose Import certificate.
On the Import SAML 2.0 certificate dialog, choose Choose file, navigate to your certificate file and select it, and then choose Import certificate.

At this point, IAM Identity Center will trust all incoming SAML messages signed from both of the certificates that you have imported.

Step 3: Activate the new certificate in the IdP

Go back to the IdP website and mark the new certificate that you created earlier as primary or active. At this point all SAML messages signed by the IdP should be using the new certificate.

Step 4: Delete the old certificate

Use the following procedure to complete the certificate rotation process for your IdP. There must always be at least one valid certificate listed, and it cannot be removed.

Note

Make sure that your identity provider is no longer signing SAML responses with this certificate before deleting it.

On the Manage SAML 2.0 certificates page, choose the certificate that you want to delete. Choose Delete.
In the Delete SAML 2.0 certificate dialog box, type DELETE to confirm, and then choose Delete.
Return to the IdP’s website and perform the necessary steps to remove the older inactive certificate.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Manage Certificates

Certificate expiration status indicators