In this case, it is imperative that you update the certificate if your configuration requires either:

  • Signed AuthN requests.
  • SAML single logout (SLO; either IdP-initiated or SP-initiated.
Note:

You do not need to update the PingOne universal certificate if you're using an identity repository other than PingFederate, Microsoft AD FS, or a custom SAML provider.

Check the Dashboard in the PingOne for Enterprise admin portal to see whether a certificate is due to expire. For more information, see Certificate alerts.

PingOne for Enterprise will also send you an email notifying you when the universal certificate is nearing expiration.

If you use Microsoft AD FS or a custom SAML provider as your identity repository, you will need to check your configuration.

If the identity repository is configured to use either SLO (IdP-initiated or SP-initiated) or signed AuthN requests, you will need to update the PingOne universal certificate.

  1. If PingFederate Bridge is your identity repository, check whether PingFederate Bridge is configured to sign AuthN requests or use SLO:
    1. Log in to the PingFederate Bridge console.
    2. On the left navigation menu, click Identity Provider.
    3. Click Connections > PingOne to show the connection summary.
    4. In the summary under Browser SSO, check the IdP-Initiated SLO and SP-Initiated SLO settings.
      If either is setting is True, you will need to update the PingOne universal certificate.
    5. Scroll down toward the bottom of the summary to Protocol Settings. Check the setting for Require digitally signed AuthN requests.
      If this setting is True, you will need to update the PingOne universal certificate.
    If the configuration doesn't use SLO and doesn't require signed AuthN requests, you do not need to update the PingOne universal certificate.
To update the PingOne universal certificate, follow these instructions Updating a signing certificate for an identity repository