For multiplexed SAML applications and connected customer identity providers, you use signing certificates to sign single sign-on (SSO) and single logout (SLO) messages sent from PingOne SSO for SaaS Apps. Signing certificates created in PingOne SSO for SaaS Apps are self-signed by default. You can also create a certificate signing request (CSR) in PingOne SSO for SaaS Apps and send the certificate for signing by a certificate authority (CA).

PingOne SSO for SaaS Apps uses verification certificates to verify the signature on SSO and SLO messages received by PingOne SSO for SaaS Apps from service providers and identity providers. PingOne SSO for SaaS Apps first attempts to validate a signature using the primary verification certificate. If verification fails, PingOne SSO for SaaS Apps will then attempt to use the secondary verification certificate, where defined.


Verification and encryption certificates are not supported for applications using SAML v1.1

The Dashboard notification area in the admin portal displays an alert for certificates that are about to expire or have expired.

A yellow alert indicates:

  • One or more signing certificates are due to expire in the next three months
  • A primary verification certificate is about to expire (and will be replaced by a secondary verification certificate, if available)
  • A secondary verification certificate is about to expire
  • An encryption certificate is about to expire

A yellow alert for expiring certificates creates a link to the Certificate Management page.

A red alert indicates a certificate has expired. The alert contains a link to the Certificate Management page.

In addition to Dashboard messages, PingOne SSO for SaaS Apps notifies Global Administrators about expiring certificates by email. Notification emails are sent 60 days, seven days, and one day before a certificate expires, and again after the certificate expires.

For more information about email notification preferences, see Editing administrative roles, permissions, and notifications.


You will be able to see certificates (signing or verification) that you cannot manage, and that originate outside of your account in the following circumstances:

  • A PingOne for Enterprise or Invited SSO account has a connection to your account's non-multiplexed SAML application. In this case, the connection's signing certificates will be visible to you.
  • A PingOne for Enterprise account uses an identity repository that employs certificates, such as PingFederate, a custom SAML, or ADFS identity repository, and also has a connection to one of your account's SAML applications. In this case both the signing and verification certificates for the identity repository, as well as the connection's signing certificate, will be visible to you.

Although these certificates are visible to you, they are owned by a separate account and must be managed by an administrator in that account.

Such certificates will also appear in your Dashboard notification area, if the certificates are expired or due to expire. This gives you visibility into certificates that are expiring or expired that your connected customers need to take action on.