What to do when a certificate changes

From time to time the certificates used to secure communications between you and us need to be updated. Usually because they are nearing their expiry date.

When you change a certificate on your local connector

LDAP

Use the second certificate slot for the new certificate (certificates tab on your connector)

SAML and SAML based such as ADFS, CAS, Entra, Google, Okta

If you added metadata via a URL, then you can refresh that metadata with the button on your connection page to pick up the new certificate.

If you uploaded metadata instead you use the second certificate slot (certificates tab on your connector)

When we change the certificate at our end

This usually only happens every 10 years or so

Local connectors (SAML, ADFS, CAS)

Ask your IT team to refresh the metadata of the relying party (our end)

Some platforms don’t store the certificate, so don’t need an update (e.g. MS Entra, Google, Okta)

• See also:

  • Updating metadata or relying party certificates for SAML local connectors

1:1 connections

You will need to contact all the things you’re connecting to and have them update the metadata they have for you. In some cases you’ll be able to do this yourself via an interface.

• See also:

  • Updating the certificate used by custom SAML resources

  • Sign in to things with OpenAthens

  • How to access your login.openathens.net metadata