Citrix Cloud SAML SSO - How to tell if my configuration is automatically pulling in certificates when Citrix rotates them?

Tim McDermid 5 Reputation points
2025-03-12T13:52:01.1233333+00:00

I've got a SAML SSO configuration between our Microsoft Entra and Citrix. The setup follows this guide: https://learn.microsoft.com/en-us/entra/identity/saas-apps/citrix-cloud-saml-sso-tutorial

However, this was all configured before I took over this position and I am having a hard time determining if our setup is automatically pulling in new SAML certificates from Citrix when Citrix rotates its SAML certificates. We were notified by Citrix that this would be occurring in a few weeks, but we are wanting to ensure there is not downtime if we need to manually rotate these certificates. Citrix also provided documentation, but they indicate in that that it is the Identity Provider (in this case, Entra) that is responsible for automatically retrieving the new certificates via metadata exchange : https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/saml-service-provider-signing-certificate

User's image

If anyone has every ran in to this before or has any insight on how I can ensure that our Entra SAML SSO configuration is automatically pulling in these new certs from Citrix via metadata exchange, please let me know.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 157.8K Reputation points
    2025-03-12T14:05:00.07+00:00

    If auto rotation is in use, the new cert will show up in the SAML cert dialog box and you simply need to make it active:

    https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tutorial-manage-certificates-for-federated-single-sign-on#renew-a-certificate-that-is-set-to-expire-soon


  2. Sanoop M 4,310 Reputation points Moderator
    2025-03-18T21:42:57.97+00:00

    Hello @Tim McDermid,

    Thank you for your response.

    Please note that the Microsoft Entra ID/Azure will not automatically pull in the SAML token signing certificate from Citrix, but you have to renew the SAML certificates manually by following the below mentioned steps.

    Firstly, please note that all the Global Administrators in your tenant will receive the email notifications regarding the expiration date of the SAML certificates. If you want to additionally add any other Non Global admin email address so that they can get email notifications regarding SAML certificate expiration, please follow the below steps.

    Add email notification addresses for certificate expiration

    Microsoft Entra ID sends an email notification 60, 30, and 7 days before the SAML certificate expires. You can add more than one email address to receive notifications. To specify one or more email addresses, you want the notifications to be sent to:

    1. In the SAML Signing Certificate page, go to the notification email addresses heading. By default, this heading uses only the email address of the admin who added the application.
    2. Below the final email address, type the email address that should receive the certificate's expiration notice, and then press Enter.
    3. Repeat the previous step for each email address you want to add.
    4. For each email address you want to delete, select the Delete icon (garbage can) next to the email address.
    5. Select Save.

    You can add up to five email addresses to the Notification list (including the email address of the admin who added the application). If you need more people to be notified, use the distribution list emails.

    You receive the notification email from azure-noreply@microsoft.com. To avoid the email going to your spam location, add this email to your contacts.

    Renew a certificate that is set to expire soon

    If a certificate is about to expire, you can renew it using a procedure that results in no significant downtime for your users. To renew an expiring certificate:

    Follow the instructions in the Create a new certificate section earlier, using a date that overlaps with the existing certificate. That date limits the amount of downtime caused by the certificate expiration.

    If the application can automatically roll over a certificate, set the new certificate to active by following these steps.

    1. Go back to the SAML Signing Certificate page.
      1. In the newly saved certificate row, select the ellipsis (...) and then select Make certificate active.
        1. Skip the next two steps.
        If the application can only handle one certificate at a time, pick a downtime interval to perform the next step. (Otherwise, if the application doesn’t automatically pick up the new certificate but can handle more than one signing certificate, you can perform the next step anytime). Before the old certificate expires, follow the instructions in the Upload and activate a certificate section earlier. If your application certificate isn't updated after a new certificate is updated in Microsoft Entra ID, authentication on your application might fail. Sign in to the application to make sure that the certificate works correctly.

    If your app lacks certificate expiration validation and the certificate matches both Microsoft Entra ID and your app, it remains accessible. This condition is true even if the certificate is expired. Ensure your application can validate certificate expiration.

    Who can update the certificates?

    The owner of the application or Application Administrator can update the certificates through Microsoft Entra admin center UI, PowerShell, or Microsoft Graph.

    I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.