Sign inTry Free

Renew/Rotate SAML Certificate for SSO

On this page

Your SSO configuration should be either self-service (you did it yourself using the Portal) or it was set up by filing a support ticket and exchanging configuration blocks with SingleStore , who did the SingleStore-side setup. If your configuration is not self-service and you have an expiring certificate, you must switch to self-service. SingleStore will not update non-self-service configurations. For additional details refer: SingleStore’s Identity Platform

The steps outlined below assume you are already self-service.

SAML certificate rotation for SingleStore Helios Portal access, especially where Single Sign-On (SSO) is configured via self-service (example, Okta), involves re-establishing the SAML connection with a new certificate. The process is essentially equivalent to configuring SSO using updated certificate material. Certificate rotation is performed by redoing the SSO configuration, not with a separate rotation-specific workflow.

The following steps outline the SAML certificate rotation:

  1. Prepare for Rotation

    • Identify the expiration date of your existing SAML signing certificate.

    • Notify stakeholders about the planned rotation to minimize disruption.

    • All the following steps are just a summary of the regular SAML instructions. You also have the option of switching to OIDC which is recommended in cases where your Identity Provider is not behind a firewall.

  2. Access your SSO Provider and the SingleStore Helios Portal

    • Log into your SingleStore Helios Portal.

    • Log into your SAML identity provider’s admin portal (for example, Okta).

  3. Add (or Update) the Identity Provider Connection

    • In the SingleStore Helios Portal, navigate to Organization Details > Authentication tab.

    • Use the Add Identity Provider list to start a new connection or edit the existing one, as appropriate.

    • Assign a connection name (for example, Okta SAML).

  4. Copy the Service Provider Metadata

    • Download/copy SingleStore’s Service Provider Configuration (Login/Logout URLs, Entity ID) for use in your IdP.

  5. Create/Configure the SAML Application in Your IdP

    • In your IdP (for example, Okta), create or update the app integration:

      • Input SingleStore’s URLs and Entity ID.

      • Set an appropriate NameID format (for example, Persistent).

      • Configure required attribute statements (email, lastName, firstName).

  6. Generate or Upload a New SAML Signing Certificate in Your IdP

    • In your IdP, generate a new SAML signing certificate or upload a renewed one.

    • Download the IdP metadata XML (updated with the new certificate).

  7. Upload IdP Metadata to SingleStore

    • In the SingleStore Helios Portal, upload the new IdP metadata XML under the SAML connection.

  8. Map User Attributes and Set Domains

    • Map the user attributes in SingleStore to correspond with the IdP.

    • Add/verify required domains.

  9. Update IdP with SingleStore’s New Certificate (If Required)

    • Optionally, if SingleStore's SP signing certificate has changed, upload the .pem file to your IdP and enable Validate SAML requests with signature certificates.

  10. Finalize and Test the Configuration

    • Save and update the SSO connection in SingleStore.

    • Test the login workflow to ensure the new certificate is used and authentication succeeds. This is the most important step.

    • After testing succeeds, enable/activate the connection.

  11. Decommission the Old Configuration

    • After validation, remove any deprecated or obsolete SAML settings.

    • If migrating from legacy SSO (for example, "old-style Keycloak"), ensure the previous IdP is disabled to avoid confusion.

Remarks

  • If you are migrating from legacy/manual (non-self-service) SSO, you should reconfigure using the self-serve workflow rather than asking to update your existing connection. After you make the new connection live, file a support ticket to have the old connection disabled.

  • The steps for other IdPs (Azure AD, JumpCloud) are similar: create/update SAML app, upload new certificate, update IdP XML, and verify authentication.

  • Refer to the latest Okta self-serve SSO steps and adapt based on your identity provider’s specifics.

Last modified: June 12, 2025

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK