Introduction

When an Identity Provider (IdP) like Okta, ADFS, or Azure AD rotates its SAML signing certificate, the Service Provider (SP) must obtain the updated certificate from the IdP's metadata URL. If the metadata URL is not refreshed or cached aggressively, the SP continues to validate SAML assertions against the old certificate, causing authentication failures for all users. This is a common issue during scheduled certificate rotations.

Symptoms

  • All SAML logins fail with:
  • `
  • SAML assertion signature verification failed
  • `
  • IdP logs show:
  • `
  • Invalid assertion signature - certificate mismatch
  • `
  • SP logs show:
  • `
  • Error: Unable to verify signature with current certificate.
  • Thumbprint: A1B2C3D4... does not match assertion signing cert E5F6G7H8...
  • `
  • Works for users who logged in before the rollover (cached session), fails for new logins

Common Causes

  • SP caches the metadata XML and does not refresh automatically
  • Metadata URL endpoint returns stale cached content
  • Manual certificate upload required but not performed
  • IdP has two valid certificates during rollover window but SP only has one
  • Metadata URL requires authentication that expired

Step-by-Step Fix

grep '<X509Certificate>'

# Restart Shibboleth systemctl restart shibd ```

  1. 1.For applications using Passport.js SAML strategy:
  2. 2.```javascript
  3. 3.// config/saml.js
  4. 4.const samlConfig = {
  5. 5.entryPoint: 'https://your-idp.example.com/saml/sso',
  6. 6.issuer: 'https://your-sp.example.com',
  7. 7.// Update with new certificate from metadata
  8. 8.cert: [
  9. 9.'-----BEGIN CERTIFICATE-----',
  10. 10.'MIIDXTCCAkWgAwIBAgIJALiPnVsvq86aMA0GCSqGSIb3DQEBCwUAMEU...',
  11. 11.'-----END CERTIFICATE-----',
  12. 12.// Keep old cert during rollover overlap period
  13. 13.'-----BEGIN CERTIFICATE-----',
  14. 14.'MIIDXTCCAkWgAwIBAgIJALiPnVsvq86bMA0GCSqGSIb3DQEBCwUAMEU...',
  15. 15.'-----END CERTIFICATE-----',
  16. 16.],
  17. 17.};
  18. 18.`
  19. 19.Configure automatic metadata refresh:
  20. 20.```bash
  21. 21.# For Shibboleth, set metadataReloadInterval in shibboleth2.xml
  22. 22.# <MetadataProvider type="XML" file="idp-metadata.xml"
  23. 23.# reloadInterval="3600"/>

# For AWS Cognito (User Pool SAML IdP): aws cognito-idp update-identity-provider \ --user-pool-id us-east-1_XXXXXXXXX \ --provider-name YourSAMLIdP \ --provider-details MetadataURL="https://idp.example.com/metadata.xml" ```

Prevention

  • Configure SP to accept multiple IdP certificates during rollover
  • Set metadata refresh interval to 1 hour or less
  • Subscribe to IdP certificate expiration notifications
  • Schedule certificate rollovers during maintenance windows
  • Keep the old certificate active in SP config for 24-48 hours after rollover
  • Test with a SAML tracer browser extension before and after rollover