When your self-signed SAML signing certificate expires, you must regenerate a new signing certificate in the Workspace ONE Access console and reconfigure all SAML service provider and identity provider configurations with the updated SAML metadata files.

When you are replacing the self-signed SAML signing certificate, users cannot access their apps until all SAML service provider and identity provider configurations are updated. We recommend that you schedule updating the expired certificate during a time that least impacts users access to their apps.

Prerequisites

Take a snapshot of your Workspace ONE Access virtual appliance, connectors, and database before you update the SAML metadata.

Procedure

  1. In the Workspace ONE Access console Catalog tab, select Web Apps > Settings > SAML Metadata.
  2. To confirm that the certificate has expired, open the Service Provider metadata file and the Identity Provider metadata file and verify that the validUntil date has expired.
  3. To create a new self-signing certificate, in the Signing Certificate section on the SAML Metadata page, click REGENERATE.
    The self-signed certificate is regenerated and the Service Provider and Identity Provider metadata is updated. Open the files to view the updated validUntil date.
  4. Go to the Identity & Access Management tab Connectors page and click Refresh Metadata for each connector to update the connectors with the regenerated metadata.

What to do next

Make the SAML metadata available to the third-party identity provider instances. In the SAML Metadata page, copy and save the service provider and identity provider metadata files. Reconfigure your SAML service provider and identity provider configuration with the updated SAML metadata files.

Note: If you use an external signed CA certificate that expired, create a new Certificate Signing Request in Workspace ONE Access.