To set up SSO with third-party IdPs where Google is the service provider, you need to upload one or more verification certificates. The certificate contains the public key which verifies sign-in from the IdP.
- If you’re configuring the Third-party SSO profile for your organization, you upload one verification certificate.
- If you’re creating a new SAML SSO profile, you can upload two certificates, giving you the option to rotate certificates.
You’ll usually get these certificates from your IdP. However, you can also generate them yourself.
Requirements
- The certificate must be a PEM or DER formatted X.509 certificate with an embedded public key.
- The public key must be generated with the DSA or RSA algorithms.
- The public key in the certificate must match the private key used to sign the SAML response.
How to rotate certificates
If you upload two certificates to a SAML SSO profile, Google can use either certificate to validate a SAML response from your IdP. This allows you to safely rotate an expiring certificate on the IdP side. Follow these steps at least 24 hours before a certificate is due to expire:
- Create a new certificate on the IdP.
- Upload the certificate as the second certificate to Admin console. For instructions see Create a SAML profile.
- Wait 24 hours to allow for Google user accounts to update with the new certificate.
- Configure the IdP to use the new certificate in place of the expiring one.
- (optional) Once users have confirmed they are able to sign in, remove the old certificate from Admin console. You can then upload a new certificate in the future as needed.
