Easily create, delete, and rotate the X.509 certificates used with your SAML apps

SAML uses X.509 certificates to ensure the authenticity and integrity of messages shared between an Identity Provider (IdP) and Service Provider (SP). These certificates are associated with your SAML applications when you first install them via the Admin console and have a five-year lifetime. When a certificate expires, a user can’t sign in to the associated application using SAML-based SSO.

To change an application’s existing certificate (e.g. because it’s about to expire or has been compromised in some way), an admin needs to “rotate” it. Traditionally, you could do this with help from Google Support. Today, we’re giving you the ability to do so on your own in the Admin console, where you can easily view certificates in use, identify those about to expire, create new ones, and assign them to applications.

Please note that only super admins will be able to view the expiration status of SAML certificates and take action on them.

To learn more about SAML certificate rotation and how to manage certificates, please visit the Help Center.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Available to all G Suite editions

Rollout pace:
Gradual rollout (up to 15 days for feature visibility)

Admins only

Admin action suggested/FYI

More Information
Help Center: Using SAML to set up federated SSO
Help Center: Maintain SAML certificates

Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates