Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
189
Views
1
Helpful
0
Comments

Updated SAML Certificate Now Available for Secure Access China

kwelkerm
Cisco Employee
Cisco Employee

on ‎09-17-2025 09:17 AM

The SAML certificate used for Web Security and Zero Trust Authentication for Secure Access China will expire on 15-Oct-2025 13:22:49 UTC, and you must update your Identity provider (IdP) with the new Secure Access SAML certificate before 15-Oct-2025 13:22:49 UTC.

Updating this certificate is essential to avoid SAML user authentication failures and loss of internet access for these users, unless your IDP has already been configured to monitor the Secure Access SAML metadata URL provided below.

Download the updated SAML Metadata:

https://7aptjg4el1.execute-api.cn-north-1.amazonaws.com.cn/prod/sse-saml-signing-certificate/Cisco_SSE_SP_Metadata.xml

Download the updated SAML Certificate:

https://7aptjg4el1.execute-api.cn-north-1.amazonaws.com.cn/prod/files/sse-saml-signing-certificate/certificates/Cisco_Signing_SP_Certificate_Sep2025.cer

The metadata has been updated and includes both the current and the new signing certificate. At expiration of the current certificate, the new certificate will be used for signing. DO NOT delete any current certificates. Secure Access continues signing with the old certificate until the time of expiration.

This is an annual task; however, the Secure Access metadata URL will remain constant from previous years. This is why we recommend using the metadata URL to automatically acquire the renewed certificate rather than using a manual import process. When the certificate is renewed, we will update the metadata without changing the metadata URL. This approach will support identity providers like ADFS and Ping Identity, which can monitor the relying party metadata URL and automatically update it when the relying party metadata is updated with a new certificate.

For more information on renewal options, see:

https://docs.sse.cisco.com/sse-user-guide/docs/saml-certificate-renewal-options

Note: Some Identity Providers do not perform validation of SAML request signatures and, therefore, do not require our new certificate. If in doubt, please contact your Identity Provider vendor for confirmation.

If you have any questions, please contact support.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents