Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
4470
Views
0
Helpful
0
Comments

Updated SAML Certificate Web Security and ZTA is now available

kwelkerm
Cisco Employee
Cisco Employee

on ‎04-17-2025 11:37 AM

Updated SAML Certificate Web Security and Zero Trust Authentication is now available!

The Secure Access SAML certificate used for Web Security and Zero Trust Authentication will expire on the May 13, 2025, 07:00:46UTC, and you must update your Identity provider (IdP) with the new Secure Access SAML certificate before May 13, 2025, 07:00:46UTC.

Updating this certificate is essential to avoid SAML user authentication failures and loss of internet access for these users, unless your IDP has already been configured to monitor the Secure Access SAML metadata URL provided below. 

Download the updated SAML Metadata: 

https://api.sse.cisco.com/admin/v2/samlsp/certificates/Cisco_SSE_SP_Metadata.xml

Download the updated SAML Certificate:

https://api.sse.cisco.com/admin/v2/samlsp/certificates/Cisco_SP_Signing_Certificate_Apr2025.cer 

The metadata has been updated and includes both the current and the new signing certificate. At expiration of the current certificate, the new certificate will be used for signing. DO NOT delete any current certificates. Secure Access continues signing with the old certificate until the time of expiration.

This is an annual task; however, the Secure Access metadata URL will remain constant from previous years. This is why we recommend using the metadata URL to automatically acquire the renewed certificate rather than using a manual import process. When the certificate is renewed, we will update the metadata without changing the metadata URL. This approach will support identity providers like ADFS and Ping Identity, which can monitor the relying party metadata URL and automatically update it when the relying party metadata is updated with a new certificate.

For more information on renewal options, see https://docs.sse.cisco.com/sse-user-guide/docs/saml-certificate-renewal-options

Note: Some Identity Providers do not perform validation of SAML request signatures and, therefore, do not require our new certificate. If in doubt, please contact your Identity Provider vendor for confirmation.

If you have any questions, please contact support.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents