For an organization whose users use many SAML applications, having multiple SAML certificates is a convenient and powerful way to ensure stronger security between those applications and OneLogin. Using multiple certificates also lets you gracefully handle the process of updating expiring certificates.
To access your X.509 certificates, go to Settings > Certificates. All certificates used by your OneLogin account are shown here, with the bit encryption of each, the number of apps associated with each, and the dates of issue and expiration.
Creating a Certificate
To create a new certificate:
- Log into OneLogin as an administrator and go to Settings > Certificates.
Name your certificate.
Select an encryption Key Length.
Choose 1024, 2048, or 4096. Once the certificate has been created, the length of the key can no longer be edited.
- Select the Signature algorithm: SHA1, SHA256, or SHA512.
- Select the Expiration period: 5 years, 2 years, 1 year.
(Optional) Select the Set the CA flag in the Basic Constraints extension option to "true" option to identify the certificate as a CA certificate.
This option changes the Basic Constraints extension CA flag to true and sets the KeyCertSign bit. Some service providers (apps) require that this extension value be included with SAML certificates. Most apps do not. If you use an app that requires this extension value, select this option and use this certificate for those apps. We recommend that you use a separate certificate, without this option enabled, for apps that do not require that Basic Constraint extension.
On the certificate page, the SHA fingerprint and X.509 certificate strings are both displayed. You can also download .PEM or DER files of the X.509 or RSA keys by selecting one in the dropdown and clicking Download. Any apps using this certificate are shown at the bottom.
Set the certificate as the default by clicking the Set as Default button. It will appear as the default X.509 certificate on the SSO page whenever you add a connector.
To change which certificate an application is using:
Go to Apps > Company Apps > Application.
On the SSO tab click Change.
- Select the certificate you wish to associate with the application.
You must now go into the application as an administrator and update the X.509 certificate with the one you just selected.
Certificate Expiration Notification
OneLogin notifies your administrators when a OneLogin X.509 certificate is going to expire.
Notifications are sent one year, 90 days, and 45 days before expiration--and daily thereafter until the certificate is updated. The default notification email can be customized on the Notifications page.