What to do about expired or inactive SAML signing certificates?

Question

What to do about expired or inactive SAML signing certificates?

beefybeef 26

We have a number of Azure Enterprise Applications with either expired SAML signing certificates or still have inactive certificates.

We have a number of applications that continue to work even after they have expired. If a SAML signing certificate has expired will it still be used and trusted by the SP? What is the risk of not replacing it?

If an application has a valid SAML signing certificate along with an expired, inactive certificate. What are the risks of removing the inactive certificate after the SP has been updated with the new, active one?

Thanks in advance!

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2022-10-03T10:56:34.317+00:00

Hi @beefybeef ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Shweta

Accepted answer

0 additional answers

Your answer

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2022-10-03T10:56:34.317+00:00

Hi @beefybeef ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Shweta

Answer 1

Hi @beefybeef ,

Thanks for reaching out.

I understand you are looking to manage inactive SAML signing certificate in Azure AD.

We have a number of applications that continue to work even after they have expired.

Ensure your application can validate the certificate's expiration date. If your application doesn't have any validation for the certificate's expiration, and the certificate matches in both Azure Active Directory and your application, your application is still accessible despite having an expired certificate.

If a SAML signing certificate has expired, will it still be used and trusted by the SP? What is the risk of not replacing it?
If a certificate expires before you rotate it, your users won't be able to use SSO to sign in to any SAML applications that use that certificate until you replace it with a new certificate.

If an application has a valid SAML signing certificate along with an expired, inactive certificate. What are the risks of removing the inactive certificate after the SP has been updated with the new, active one?

You can remove the inactive certificates if you don't want to use them in future. Before removing any inactive certificate, make sure to roll over to the new certificate.

Hope this will help.

Thanks,
Shweta

---------------------------------------------

Please remember to "Accept Answer" if answer helped you.

beefybeef 26 Reputation points

2022-10-03T11:36:13.943+00:00

Thanks for the great explanations!

Share via

What to do about expired or inactive SAML signing certificates?

0 additional answers

Your answer