Rotating the SAML private signing key

The SAML private signing key should be rotated once a year.

Note: Since the SAML private signing key is used each time a user authenticates, the key should only be rotated when the system is not in use.
  1. Generate a new WFM SAML signing key and certificate using the SAML Certificate Generator form.
    See Creating a private key and public certificate.
  2. Once the new signing key and certificate are created, export or copy the public certificate.
  3. Click Save Private Key to save the new private key.
    The displayed SAML private key is saved to the Sensitive Data Configuration form with a configuration type of SAMLPRIVATEKEY. If more than one record with a configuration type of SAMLPRIVATEKEY exists, only the record with the highest expiration date will be overwritten. The expiration date will not be changed.
  4. Import the new WFM signing certificate into your IdP. This is the public certificate that you exported or copied in Step 2.
    See Importing the Workforce Management SAML signing certificate.