Rotate SSO Application Certificates, SCIM Token Keys, & OIDC Tokens

Note:

The following are recommended actions for all JumpCloud organizations using SSO applications:

  • If you are using SAML for SSO, perform the steps in the SAML SSO section.
  • If you are using OIDC for SSO, perform the steps in the OIDC section.
  • If you are using SCIM for Identity Management, perform the steps in the SCIM section.

Regenerate SAML SSO Application Certificates

To regenerate SAML SSO Application Certificates

All SAML SSO integrations require a certificate and private key pair.  This certificate and private key pair can be auto-generated by JumpCloud, or you can upload your own. In addition, some Service Providers require a Service Provider Certificate.  

Important:

Admins should review your Service Provider requirements prior to taking these steps to limit downtime and prevent lockouts.

Tip:

To rotate the cert for M365, please refer to the specific steps in the SSO with M365 article.

To regenerate a JumpCloud-created certificate and private key pair

Complete the following steps for each SAML SSO app integration you have configured for which you would like to use a JumpCloud-created certificate and private key pair. 

  1. Log in to the JumpCloud Administrator Portal
  2. Go to USER AUTHENTICATION > SSO.
  3. Select an SSO application from the list.
  4. Click the small triangle to the right of IDP Certificate Valid in the Single sign-on section of the left-hand panel.
  5. Select Regenerate certificate.
  6. Click continue.
  7. After you regenerate the certificate, the private key is also regenerated.
  8. Click save.

Important:

When you upload a new certificate, your private key is wiped. You need to upload a new private key after you upload a certificate.

To update the IdP certificate in the Service Provider

Depending on how the Service Provider accepts certificates, do one of the following to upload the new certificate in Service Provider’s application.

To update the IdP certificate in the Service Provider using a metadata URL

If the Service Provider supports updating the configuration and certificate from a metadata file URL: 

  1. Log in to the JumpCloud Administrator Portal.  
  2. Go to USER AUTHENTICATION > SSO.
  3. Select an SSO application from the list. 
  4. Click the SSO tab.
  5. Click Copy Metadata URL.
  6. From the Service Provider’s application admin console, paste the metadata URL in the designated place in their SAML SSO configuration page or section.
  7. Save the changes.

To update the IdP certificate in the Service Provider using a metadata file

If the Service Provider supports extracting the certificate from the metadata file: 

  1. Export the metadata file from SSO configured applications page
    1. Log in to the JumpCloud Administrator Portal.  
    2. Go to USER AUTHENTICATION > SSO.
    3. Click the checkbox next to the SSO application in the list.
    4. Click Export Metadata.
  2. Alternatively, you can export the metadata file from the application’s configuration details page.
    1. Log in to the JumpCloud Administrator Portal
    2. Go to USER AUTHENTICATION > SSO.
    3. Select an SSO application from the list.
    4. Click the SSO tab.
    5. Click Export Metadata.
  3. From the Service Provider’s application admin console, upload the metadata file in the designated place in their SAML SSO configuration page or section.
  4. Save the changes.

To update the IdP certificate in the Service Provider by uploading the certificate

If the Service Provider supports uploading the IdP certificate file (.pem):

  1. If you just saved the application, from the notification in the upper-right corner of the screen click Download Certificate.
  2. Otherwise, download the certificate from the application’s configuration details page.
    1. Reopen the application, 
    2. Click the small triangle to the right of IDP Certificate Valid in the Single sign-on section of the left-hand panel
    3. Select Download Certificate.
  3. From the Service Provider’s application admin console, upload the certificate file in the designated place in their SAML SSO configuration page or section.
  4. Save the changes.

To update the IdP certificate in the Service Provider by copying and pasting the contents of the certificate file

If the Service Provider supports copying and pasting the contents of the certificate file (.pem):

  1. If you just saved the application, from the notification in the upper-right corner of the screen click Download Certificate.
  2. Otherwise, download the certificate from the application’s configuration details page.
    1. Reopen the application, 
    2. Click the small triangle to the right of IDP Certificate Valid in the Single sign-on section of the left-hand panel
    3. Select Download Certificate,
  3. From the Service Provider's application admin console, navigate to the SAML SSO configuration page or section.
  4. Open the certificate file (.pem) you downloaded from JumpCloud.
  5. Copy the contents of the certificate file
  6. Paste the contents of the certificate file in the designated place in the SAML SSO configuration page or section.

Important:

Refer to the Service Provider documentation to determine if “-----BEGIN CERTIFICATE-----” and -----END CERTIFICATE----- should or should not be included when pasting the certificate contents.

  1. Save the changes.

To update the Service Provider certificate in JumpCloud

Some Service Providers require a Service Provider certificate. After you have updated the new JumpCloud IdP certificate, complete the following steps for each SAML SSO app integration you have configured that requires a Service Provider certificate. 

To update the Service Provider certificate in JumpCloud by uploading the Service Provider metadata file

  1. From the Service Provider's application admin console, navigate to the SAML SSO configuration page or section.
  2. Select the option to download the Service Provider metadata file.
  3. Log in to the JumpCloud Administrator Portal.  
  4. Go to USER AUTHENTICATION > SSO.
  5. Select an SSO application from the list.
  6. Click the SSO tab.
  7. Click Upload Metadata in the Service Provider Metadata section.
  8. Browse to the metadata file.
  9. Click Open.
  10. Click save.

To update the Service Provider certificate in JumpCloud by uploading the certificate file

  1. From the Service Provider's application admin console, navigate to the SAML SSO configuration page or section.
  2. Select the option to download the Service Provider certificate.
  3. Log in to the JumpCloud Administrator Portal.  
  4. Go to USER AUTHENTICATION > SSO.
  5. Select an SSO application from the list.
  6. Click the SSO tab.
  7. Scroll to the Service Provider certificate section.
  8. Click Replace Service Provider Certificate.

Important:

For a pre-built SSO integration, if there is no section or button, a Service Provider certificate is not required.

  1. Browse to the certificate file.
  2. Click Open.
  3. Click save.

Rotate SCIM Token Keys

To rotate SCIM Token Keys

Prerequisites

  • Admin login credentials are required for each Service Provider’s application for which a SCIM integration is configured.

Steps to take in JumpCloud:

  1. Log in to the JumpCloud Administrator Portal
  2. Go to USER AUTHENTICATION > SSO.
  3. Search for the application that you’d like to deactivate and click to open its details panel. 
  4. Under the company name and logo on the left hand side, click Deactivate IdM connection under the Identity Management section.
  5. Click confirm to deactivate Identity Management for the application.

Steps to take in Service Provider:

  1. Disable existing token, if possible.
  2. Generate a new token.

Steps to take in JumpCloud:

  1. Reconfigure Identity Management connection using the new token following the steps from the Help Center article specific to the app in question or the Custom SCIM integration.

Learn More:

Regenerate OIDC Secrets

To update OIDC Secrets

Prerequisites

  • Admin login credentials for each service provider’s application for which an SSO OIDC integration is configured.

Steps to take in JumpCloud:

  1. Log in to the JumpCloud Administrator Portal
  2. Go to USER AUTHENTICATION > SSO and open the OIDC application.
  3. In the left aside, click Client Secret Valid > Regenerate Secret.
  4. Click Regenerate when the Regenerate Client Secret window appears
  5. Copy and store the new Client Secret in a safe location, like a password manager.
  6. Click Got It.

Steps to take in Service Provider:

  1. Update the Service Provider configuration with the regenerated Client Secret.

Learn More:

Additional Resources

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case