How to update SAMLv2 certificate at "$ZIT_URL/saml/v2/certificate" when acting as IDP
Hello Zitadel community,
I'm currently developing a proof of concept implementing Zitadel at my organization and have encountered a challenge that I couldn't resolve through the documentation.
Specifically, I need to update the certificate provided by the endpoint "$ZIT_URL/saml/v2/certificate" when Zitadel is acting as an Identity Provider. While I've found documentation on updating external IdP SAML certificates, I haven't been able to locate information about updating Zitadel's own certificate when it serves as the IdP.
NOTE: tried with
Could someone please direct me to the relevant documentation or provide guidance on this process? Thank you for your assistance!
$ZIT_URL/admin/v1/idps/saml/:id/_generate_certificate but this is for the external providers.Could someone please direct me to the relevant documentation or provide guidance on this process? Thank you for your assistance!
9 Replies
hey @Oakwhistle thanks for your question, I will look into this and get back to you.
Hello @Rajat ! Thank you for taking a look at my post. I'll be looking forward to your response!.
@Rajat I'm having the same question. running Zitadel 2.71.13. how to update the SAML certificate of a SAML application?
hey @be the SAML signing certificate is managed by the service and cannot be rotated by user if running on cloud.
There is no dedicated PUT or POST endpoint for replacing this certificate
and if running a self hosted zitadel?
if it can't be rotated manually that would be waiting until things break because zitadel rotated it automatically and the SAML client won't connect anymore. that wouldn't be a smart behaviour IMO
the SAML signing keypair is treated as an internal encrypted secret stored in the database,the only way to do it would be to generate a new PEM key/cert pair, update your ZITADEL runtime configuration and restart
alright, any directions on how to do that? 🙂
https://zitadel.com/docs/self-hosting/manage/configure#environment-variables env vars are defined here for sewlf hosted, there's a lot of SAML env vars that you can set up
thank you!
@Oakwhistle find the answer above