Skip to main content
Go to Red Canary Documentation
Red Canary Support

Checking Your IdP's SAML SP Certificate Configuration

  • Updated .

Issue

Am I impacted by the login page notification regarding certificate expiry?

Urgent: SAML IdP Certificate Expires Friday, May 8th
Customers using Red Canary as a SAML IdP or a third‑party SAML IdP with certificate validation enabled must rotate the SAML IdP certificate before Friday, May 8th to avoid login failures. Customers not using SAML IdP are unaffected.

Environment

Red Canary Portal
Single Sign-On Enabled

Resolution

First, refer to your Single Sign-On page in Red Canary Portal.  If it shows your subdomain's SSO profile is inactive, you are not affected by these changes and no action is required.

Inactive SSO Config

If your subdomain has an active SSO profile, you are only impacted if your Red Canary SAML config in your IdP (e.g. Entra ID, Okta, etc.) has Service Provider certificate validation enabled.  Refer to the guidance below for your specific IdP to determine whether you're impacted and how to remediate.

Active SSO Config

Most IdPs do not enforce certificate expiration or validity and instead use the public key to verify signatures.  However, you should still confirm our certificate is stored correctly after rotation.

Table of Contents

If you have an active SSO config in Red Canary Portal, review your IdP section below to determine whether you're affected.

Entra ID

Check whether you're affected when using Entra ID as your IdP by following the steps below:

  1. From the Azure portal, navigate to the Enterprise Applications service
  2. Search for and select the application used for Red Canary SSO
  3. Navigate to the Single Sign-On tab
  4. Refer to the Verification Certificates section under the SAML Certificates section
    • If the Verification certificates (optional) section lists zero certs or says "no certs uploaded", you are not affected by these changes and no action is required
    • If a certificate is listed under Verification Certificates (optional), you have Red Canary's Service Provider cert stored and need to replace it with the new cert using this download link, or from your SSO profile page in Red Canary Portal

FAQ (Entra ID)

Does Entra ID validate certificate expiration?

No, by default.  Entra uses the uploaded verification certificate only to validate the cryptographic signature on incoming AuthnRequests.  It does not enforce the notAfter date on SP verification certificates.  However, the Entra admin portal may display an expiration warning banner.

What errors should I expect if validation fails?

Users will be unable to log in to Red Canary via SSO. They will see:

  • User-facing:  Redirected to a Microsoft error page with "AADSTS50107: The requested federation realm object does not exist" or a generic "Unable to process the request" message.
  • Admin sign-in logs:  In Entra admin centerIdentityMonitoring & healthSign-in logs, the failed sign-in will show:
    • Status: Failure
    • Error code: 50107 or 90008
    • Failure reason: "Signature validation failed" or "SAML token validation failed. The certificate used to verify the signature does not match the expected certificate."
  • How to confirm it's a cert issue:  Filter sign-in logs to the Red Canary app. If failures started exactly when the old cert expired and the error references signature validation, the stored cert is the cause.
I'm affected.  Where do I find and upload the certificate in Entra ID?
  1. Refer to the Verification Certificates section under the SAML Certificates section
  2. Click Edit on the Verification certificates section
  3. Delete the old certificate
  4. Upload the new certificate file (.cer or .pem) downloaded from https://go.my.redcanary.co/sso/red-canary-saml-service-provider-signing.cert under the SAML Configuration section
  5. Click Save

Okta

Check whether you're affected when using Okta as your IdP by following the steps below:

  1. Sign in to the Okta Admin Console (https://your-org.okta.com/admin)
  2. Navigate to Applications > Applications
  3. Select the Red Canary application
  4. Switch to the General tab
  5. Scroll to SAML Settings and click Edit
  6. Click Next to get to the Configure SAML step
  7. Expand Show Advanced Settings
  8. Look for the Signature Certificate field
    • If this field is blank, Okta is not validating our signed requests.  You are not affected by these changes and no action is required.
    • If a certificate is uploaded here, you have our SP cert stored and the certificate should be replaced with the new cert at this download link, or from your SSO profile page in Red Canary Portal

FAQ (Okta)

Does Okta validate certificate expiration?

No.  Okta uses the uploaded signature certificate solely for cryptographic verification of signed AuthnRequests.  It does not enforce the X.509 validity period.  Okta will not reject requests signed with an expired certificate as long as the signature is cryptographically valid.

What errors should I expect if validation fails?

Users will be unable to log in to Red Canary via SSO. They will see:

  • User-facing: Okta displays a generic error page: "Sorry, something went wrong" or redirects back to the Okta dashboard without completing SSO.
  • Admin System Log: In Okta Admin Console > Reports > System Log, look for events with:
    • Event type: app.auth.sso
    • Outcome: FAILURE
    • Reason: "SAML AuthnRequest signature validation failed" or "Signature certificate is invalid"
  • How to confirm it's a cert issue: In the System Log, filter by the Red Canary app. The error detail will explicitly mention signature validation failure. If you remove the Signature Certificate from Advanced Settings (leaving it blank), Okta will stop validating signed requests entirely and SSO will resume immediately.
I'm affected.  Where do I find and upload the certificate in Okta?
  1. If a certificate is present:
  2. In the same Show Advanced Settings section, remove the existing certificate
  3. Upload the new certificate downloaded from https://go.my.redcanary.co/sso/red-canary-saml-service-provider-signing.cert under the SAML Configuration section
  4. Click Next > Finish

Cisco Duo

Check whether you're affected when using Cisco Duo as your IdP by following the steps below:

  1. Sign in to the Duo Admin Panel (https://admin.duosecurity.com)
  2. Navigate to Applications > Application Catalog (or search your existing applications)
  3. Select the application configured for Red Canary
  4. Scroll to the Service Provider section
  5. Check the Metadata Discovery area
    1. If configured via a metadata URL, Duo fetched our cert automatically
    2. If configured via manual import, check if any certificate fields are populated
Duo SSO, when acting as an IdP, does not expose a separate "SP verification certificate" upload field in its standard Generic SAML Service Provider configuration.  Duo verifies SP identity primarily through Entity ID and ACS URL matching, not SP AuthnRequest signature validation.

FAQ (Cisco Duo)

Does Cisco Duo validate certificate expiration?

Not applicable in most configurations.  Duo's Generic SAML SP setup does not typically require or validate SP-signed AuthnRequests.  If your configuration uses signed requests (uncommon with Duo), the certificate would be embedded in the SAML metadata and Duo does not enforce expiration.

What errors should I expect if validation fails?

Duo SSO failures are unlikely for the reasons above, but if they occur:

  • User-facing: Users will see a Duo error page stating "Authentication failed" or "Single Sign-On error. Please contact your administrator."
  • Admin logs: In Duo Admin PanelReportsAuthentication Log, look for:
    • Result: FAILURE
    • Reason: "Invalid SAML request" or "SAML request signature verification failed"
  • How to confirm it's a cert issue: If you configured via metadata URL, re-populate the metadata. If the error resolves, the stale cert in the cached metadata was the cause.
I'm affected.  Where do I upload the certificate in Cisco Duo?

If you imported configuration via metadata URL:

  • Re-import the metadata by clicking Populate again after Red Canary updates the metadata endpoint

If configured via metadata XML file:

  • Download the new metadata XML from Red Canary and re-import it

OneLogin

Check whether you're affected when using OneLogin as your IdP by following the steps below:

  1. Sign in to the OneLogin Admin Portal (https://your-org.onelogin.com/admin2)
  2. Navigate to Applications > Applications
  3. Select the Red Canary application
  4. Click the SSO tab
  5. Look for the X.509 Certificate section or SAML Signature Element settings
  6. Click the Configuration tab
  7. Check if there is a field labeled SAML initiator set to "Service Provider" and whether a certificate is uploaded

Alternatively:

  • Click the SSO tab > look for Issuer URL or SAML Encryption sections that reference an SP certificate

FAQ (OneLogin)

Does OneLogin validate certificate expiration?

No.  OneLogin uses SP certificates for signature verification only and does not enforce the X.509 validity period.  It will continue to accept AuthnRequests signed with an expired certificate as long as the cryptographic signature is valid.

What errors should I expect if validation fails?

Users will be unable to log in to Red Canary via SSO. They will see:

  • User-facing:  OneLogin displays "The SAML Request could not be validated" or redirects back to the OneLogin portal with a flash error.
  • Admin Event Log:  In OneLogin Admin > Activity > Events, look for:
    • Event type: SAML events
    • Description: "SAML Request signature invalid" or "Failed to validate AuthnRequest signature"
  • How to confirm it's a cert issue:  Check the Events log filtered to the Red Canary app. If failures correlate with the cert expiry date and mention signature validation, update or remove the stored SP certificate. Removing it will cause OneLogin to stop requiring signed AuthnRequests and SSO will resume.
I'm affected.  Where do I find and upload the certificate in OneLogin?

If you find a stored certificate:

  1. Navigate to Configuration tab
  2. Replace the existing certificate content with the new certificate downloaded from https://go.my.redcanary.co/sso/red-canary-saml-service-provider-signing.cert 
  3. Click Save

PingOne

Check whether you're affected when using PingOne as your IdP by following the steps below:

  1. Sign in to the PingOne Admin Console (https://console.pingone.com)
  2. Navigate to Connections > Applications
  3. Select the Red Canary application
  4. Click the Configuration tab
  5. Look for Verification Certificate or SP Certificate under the SAML settings
    1. If a certificate is listed, you have our cert stored
    2. Check for a toggle or section labeled Enforce Signed AuthnRequest

FAQ (PingOne)

Does PingOne validate certificate expiration?

Potentially yes.  PingOne is stricter than most IdPs.  If the application is configured to require signed authentication requests ("Enforce Signed AuthnRequest" toggle), PingOne uses the uploaded verification certificate and may reject requests if the certificate is expired.  Check:

  1. In the application's Configuration tab, look for Require Signed AuthnRequest (or similar toggle)
  2. If enabled, certificate expiration enforcement is likely active
What errors should I expect if validation fails?

PingOne is the most likely to actively reject expired certificates. Users will see:

  • User-facing: A PingOne error page displaying "Request signature verification failed" or "The SAML authentication request could not be verified" with a correlation ID.
  • Admin audit logs: In PingOne AdminAuditActivity, look for:
    • Activity type: SSO
    • Result: FAILED
    • Description: "SAML request signature verification failed," "Certificate expired," or "Unable to validate request signature - certificate not valid"
  • How to confirm it's a cert issue: PingOne's error messages are typically explicit about certificate problems. The audit log entry will reference the verification certificate. If the Require Signed AuthnRequest toggle is ON and the error mentions certificate validity, this is the cause. You can temporarily disable the toggle to restore SSO while you update the certificate.
I'm affected.  Where do I find and upload the certificate in PingOne?

If a certificate is present:

  1. In the Configuration tab, find the Verification Certificate section
  2. Click Edit or the pencil icon
  3. Upload the new certificate file downloaded from https://go.my.redcanary.co/sso/red-canary-saml-service-provider-signing.cert under the SAML Configuration section
  4. Click Save

Cause

Red Canary is rotating the SAML signing certificate used by our portal. If your Identity Provider (IdP) has a copy of our Service Provider (SP) certificate stored, you may need to update it.  This document helps you determine:

  • Whether your IdP has a copy of our certificate stored
  • Whether your IdP validates certificate expiration dates

What to tell your IdP administrator

"Red Canary is rotating their SAML signing certificate.  The new certificate uses the same key material, so the cryptographic signatures will continue to validate.  However, if our IdP has a copy of our previous certificate stored, please replace it with the updated certificate at https://go.my.redcanary.co/sso/red-canary-saml-service-provider-signing.cert.  This ensures continued SSO functionality and removes any expiration warnings from your admin console."