SAML External IdP - Best practices for certificate expiration handling (self-hosted)
I'm currently onboarding B2B customers to my SaaS using ZITADEL (Self-Hosted) with SAML as External IdPs. I have a few questions regarding the lifecycle of SAML metadata and certificates to avoid service interruptions.
I noticed that the generated metadata includes a fixed validUntil date (exactly 1 year from creation), which seems strictly tied to the signing certificate. My tests show this date doesn't "slide" automatically.
My questions:
1- Duration best practices: I’ve seen that I can customize the certificate lifetime in the configuration. It set to 1 year by default, but I’m worried this might be too aggressive for B2B customers whose IT teams are slow to react. Do you recommend a longer period (5-10 years) for SAML signing certs to reduce manual friction?
2- Key rolling / Grace period: does ZITADEL support "Key Rolling" (exposing both a primary and a secondary/new certificate in the metadata)? This would allow a transition period for customers to update their side before the old certificate actually expires.
3- Rotation workflow: if Key Rolling isn't an option, what is the recommended "ZITADEL way" to rotate these certificates without downtime? Is it purely a manual coordination with the customer's IT?
4-Monitoring at scale: for those managing many external IdPs, how do you monitor these expiration dates? Are there specific Prometheus metrics or API patterns you use to alert your support team before the validUntil date is reached?
I want to ensure a "set and forget" (or at least a safe) experience for my customers. Any feedback on how you handle this organizationally would be super helpful!
I noticed that the generated metadata includes a fixed validUntil date (exactly 1 year from creation), which seems strictly tied to the signing certificate. My tests show this date doesn't "slide" automatically.
My questions:
1- Duration best practices: I’ve seen that I can customize the certificate lifetime in the configuration. It set to 1 year by default, but I’m worried this might be too aggressive for B2B customers whose IT teams are slow to react. Do you recommend a longer period (5-10 years) for SAML signing certs to reduce manual friction?
2- Key rolling / Grace period: does ZITADEL support "Key Rolling" (exposing both a primary and a secondary/new certificate in the metadata)? This would allow a transition period for customers to update their side before the old certificate actually expires.
3- Rotation workflow: if Key Rolling isn't an option, what is the recommended "ZITADEL way" to rotate these certificates without downtime? Is it purely a manual coordination with the customer's IT?
4-Monitoring at scale: for those managing many external IdPs, how do you monitor these expiration dates? Are there specific Prometheus metrics or API patterns you use to alert your support team before the validUntil date is reached?
I want to ensure a "set and forget" (or at least a safe) experience for my customers. Any feedback on how you handle this organizationally would be super helpful!
