# Renew/Rotate SAML Certificate for SSO Your SSO configuration should be either self-service (you did it yourself using the Portal) or it was set up by filing a support ticket and exchanging configuration blocks with SingleStore , who did the SingleStore-side setup. If your configuration is not self-service and you have an expiring certificate, you must switch to self-service. SingleStore will not update non-self-service configurations. For additional details refer: [SingleStore’s Identity Platform](https://docs.singlestore.com/cloud/security/portal-access/singlestores-identity-platform.md) The steps outlined below assume you are already self-service. SAML certificate rotation for SingleStore Helios Portal access, especially where Single Sign-On (SSO) is configured via self-service (example, Okta), involves re-establishing the SAML connection with a new certificate. The process is essentially equivalent to configuring SSO using updated certificate material. Certificate rotation is performed by redoing the SSO configuration, not with a separate rotation-specific workflow. The following steps outline the SAML certificate rotation: 1. **Prepare for Rotation** * Identify the expiration date of your existing SAML signing certificate. * Notify stakeholders about the planned rotation to minimize disruption. * All the following steps are just a summary of the [regular SAML instructions](https://docs.singlestore.com/cloud/security/#saml-authentication.md). You also have the option of switching to OIDC which is recommended in cases where your Identity Provider is not behind a firewall. 2. **Access your SSO Provider and the SingleStore Helios Portal** * Log into your SingleStore Helios Portal. * Log into your SAML identity provider’s admin portal (for example, Okta). 3. **Add (or Update) the Identity Provider Connection** * In the SingleStore Helios Portal, navigate to **Organization Details** > **Authentication** tab. * Use the **Add Identity Provider** list to start a new connection or edit the existing one, as appropriate. * Assign a connection name (for example, Okta SAML). 4. **Copy the Service Provider Metadata** * Download/copy SingleStore’s Service Provider Configuration (Login/Logout URLs, Entity ID) for use in your IdP. 5. **Create/Configure the SAML Application in Your IdP** * In your IdP (for example, Okta), create or update the app integration: * Input SingleStore’s URLs and Entity ID. * Set an appropriate NameID format (for example, Persistent). * Configure required attribute statements (`email`, `lastName`, `firstName`). 6. **Generate or Upload a New SAML Signing Certificate in Your IdP** * In your IdP, generate a new SAML signing certificate or upload a renewed one. * Download the IdP metadata XML (updated with the new certificate). 7. **Upload IdP Metadata to SingleStore** * In the SingleStore Helios Portal, upload the new IdP metadata XML under the SAML connection. 8. **Map User Attributes and Set Domains** * Map the user attributes in SingleStore to correspond with the IdP. * Add/verify required domains. 9. **Update IdP with SingleStore’s New Certificate (If Required)** * Optionally, if SingleStore's SP signing certificate has changed, upload the `.pem` file to your IdP and enable **Validate SAML requests with signature certificates**. 10. **Finalize and Test the Configuration** * Save and update the SSO connection in SingleStore. * Test the login workflow to ensure the new certificate is used and authentication succeeds. **This is the most important step.** * After testing succeeds, enable/activate the connection. 11. **Decommission the Old Configuration** * After validation, remove any deprecated or obsolete SAML settings. * If migrating from legacy SSO (for example, "old-style Keycloak"), ensure the previous IdP is disabled to avoid confusion. ## Remarks * If you are migrating from legacy/manual (non-self-service) SSO, you should reconfigure using the self-serve workflow rather than asking to update your existing connection. After you make the new connection live, file a [support](https://support.singlestore.com/) ticket to have the old connection disabled. * The steps for other IdPs (Azure AD, JumpCloud) are similar: create/update SAML app, upload new certificate, update IdP XML, and verify authentication. * Refer to the latest [Okta self-serve SSO steps](https://docs.singlestore.com/cloud/security/portal-access/scim-user-provisioning/idp-configuration-okta.md) and adapt based on your identity provider’s specifics. *** Modified at: June 12, 2025 Source: [/cloud/security/portal-access/renew-rotate-saml-certificate-for-sso/](https://docs.singlestore.com/cloud/security/portal-access/renew-rotate-saml-certificate-for-sso/) (An index of the documentation is available at /llms.txt)