In the event that a verification certificate expires or is about to expire, you must update it.
You can update:
- An application verification certificate using SAML 2.0 or later
- A verification certificate associated with an identity provider (IdP)
Updating an application verification certificate
When a verification certificate expires or is about to expire, generally you must upload a new verification certificate.
Updating an identity repository verification certificate
You can update a verification certificate for a PingFederate Bridge manual connection, Microsoft Active Directory Federation Services (AD FS), or a custom SAML identity repository. If a verification certificate expires or is about to expire, you must obtain an updated certificate from the identity repository.
If a secondary certificate is defined and you have not yet received an updated primary verification certificate, PingOne for Enterprise can validate a signature using the secondary certificate.
In most cases, you must replace the primary verification certificate with the secondary verification certificate. Do this when your single sign-on (SSO) partner confirms they are no longer signing messages with the certificate previously assigned as the primary verification certificate.
The identity repository is updated with the new verification certificates.