SAML certificates and SSO trust gaps: what breaks during rotation?

TL;DR: SAML certificates underpin trust in federated SSO by letting IdPs and SPs sign, verify, and encrypt SAML messages, but expired, mismatched, or unrefreshed metadata can abruptly break login flows according to WorkOS. The real issue is not certificate syntax; it is treating trust as static when federated identity depends on continuous lifecycle control.

NHIMG editorial — based on content published by WorkOS: SAML certificates explained: How they work and how to manage them

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Only 5.7% of organisations have full visibility into their service accounts.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

Questions worth separating out

Q: How should teams manage SAML certificate rotation without breaking SSO?

A: Teams should treat SAML certificate rotation as a coordinated federation change, not a local admin task.

Q: Why do expired SAML certificates cause so many login failures?

A: Expired certificates break the trust relationship that SAML depends on.

Q: What do security teams get wrong about SAML signing and encryption certificates?

A: The common mistake is assuming one certificate can safely do both jobs without increasing operational risk.

Practitioner guidance

• Map every SAML trust relationship Build a live inventory of IdP, SP, signing, and encryption certificates, including owners, expiry dates, and metadata endpoints.
• Automate expiry and verification monitoring Set alerts well before expiry and monitor for signature verification, decryption, and metadata refresh failures.
• Use overlapping certificates during rotation Keep the old and new certificates valid at the same time until both sides have refreshed metadata and validated the new trust chain.

What's in the full article

WorkOS' full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step explanations of signing and encryption certificate handling in a live SAML flow
• Concrete examples of expired, mismatched, and wrong-format certificate failures in production
• Practical rotation guidance for updating metadata without breaking existing logins
• Developer-facing troubleshooting detail for invalid signature and decryption errors

👉 Read WorkOS's guide to SAML certificates, signing, and rotation →

SAML certificates and SSO trust gaps: what breaks during rotation?

Explore further

View Full Forum →  |  NHI Foundation Course →