OneTrust Signed Certificates are only valid for a set period that varies based on the specific environment. When these certificates approach the expiration date, OneTrust issues a new certificate, per environment, to replace the certificate installed on the customer Identity Provider (IdP) side. Action is then required for the customer to upload the new certificate into their IdP.
Affected Customers - Does this change apply to me?
Certificates only need to be updated if your tenant has the Sign SAML Requests setting enabled in the Single Sign-On (SSO) Configuration within Global Settings.
Note
If the Sign SAML Requests setting is disabled for your tenant, no action is needed.
To review your SSO Configuration, click the gear icon 
to access Global Settings. On the menu, select and verify whether the Sign SAML Requests setting is enabled or disabled on the Single Sign-On screen.
If the Sign SAML Requests setting is enabled in your SSO Configuration, the user(s) and/or user group(s) designated in the Notification Recipient field will receive the following email notifications when action is required regarding OneTrust Signed Certificates. Please ensure that the users and/or user groups who should be notified of these changes are selected in this field so that they receive these email notifications.
Note
These email templates are not customizable and will not appear on the Templates tab of the Email screen.
Action Required - What is the change I need to make, and when do I need to make it?
Action
To maintain uninterrupted access to your tenant via SSO, you will need to go into your IdP and update the OneTrust Signed Certificate. The new certificates will be available for download within the OneTrust application 30 days before the expiration of the current certificate. Please reference the following procedure and work with your IT Administrators to apply IdP updates.
-
Download the latest version of the OneTrust Signed Certificate for your environment. Upcoming OneTrust Signed Certificates can be downloaded directly from the OneTrust application. Navigate to the Certificates tab on the Single Sign-On screen in Global Settings and click the Download button in the Download Upcoming Certificate field.
Go into your IdP and update the OneTrust Signed Certificate according to the timeline applicable to the configuration of your IdP, as detailed in the following section.
Timeline
The timing of when this change should be completed depends on the configuration of your IdP:
-
Customers that use IdPs with support for uploading multiple certificates should upload the updated certificate as ‘secondary'. This can be done at any time before the expiration date.
There will be no downtime if multiple certificates are uploaded.
The following are examples of IdPs that support this method: ADFS, AWS, Azure, KeyCloak, miniOrange, Okta, OneLogin, Ping, Shibboleth, SimpleSAML, WSO2
-
Customers that use IdPs without support for uploading multiple certificates need to upload the certificate on the New Certificate Activation Date/Time.
Warning
If your IdP does not support multiple certificates and you upload the new certificate before the expiration date, you will be locked out of your tenant. If this happens, refer to the Troubleshooting section below.
Upcoming Certificate Expirations - When does my certificate expire?
You can check the certificate expiration date within the certificate itself by opening the respective certificate and viewing the dates in the Valid from field, as highlighted in the image below.
Warning
Once the old certificate expires, your organization will lose access via SSO until the new certificate is uploaded in your IdP. If this happens, refer to the Troubleshooting section below.
If you experience issues during the update process and can no longer access your environment via SSO, please follow the process below to recover access to your environment and allow you to troubleshoot. SSO can be disabled to resolve issues caused by SSO misconfiguration and resulting in the inability to access the application. Internal Site Admins in the root organization can use the following self-service flow to disable SSO and resolve SSO lockout without having to contact OneTrust Support.
Note
If you are unable to resolve these issues, click here to contact OneTrust Support.
Step 1: Use the Lockout URL to Disable SSO
-
Navigate to the Lockout URL that you previously copied from the Single Sign-On screen in your web browser.
Note
If the Lockout URL was not copied from the Single Sign-On screen, you can use https://{$$.env.host}/auth/validate/sso-lockout and replace {$$.env.host} with your respective environment.
For example, the Lockout URL for the trial.onetrust.com environment would be https://trial.onetrust.com/auth/validate/sso-lockout.
-
Enter the email address for an Internal Site Admin in the root organization.
Note
Only Internal Site Admins in the root organization have access to disabling SSO. OneTrust Consultants are generally External users and cannot perform this action within your account.
Click the Submit button. If the entered email address is authorized to disable SSO, an email will be sent to the email address.
-
Click the link within the email that you received to proceed with disabling SSO. A confirmation screen appears on a new tab in your web browser.
Note
The emailed link expires within 24 hours.
Verify the details for disabling SSO.
Click the Continue button to disable SSO. Once SSO is disabled, users will be required to set a new password to log in to the application.
Step 2: Upload the OneTrust Signed Certificate to your IdP
Complete one of the following solutions based on the issue you are experiencing.
-
Locked out of tenant due to updating certificate too early
This issue occurs if the OneTrust Signed Certificate was updated before the New Certificate Activation Date and you use an IdP that doesn't support uploading multiple certificates. In this instance:
-
Download the current version of the certificate that corresponds to your OneTrust application environment. OneTrust Signed Certificates can be downloaded directly from the OneTrust application. Navigate to the Download Current OneTrust Certificate field on the Configuration tab of the Single Sign-On screen in Global Settings and click the Download button. Current certificates can also be downloaded from the Download Current Certificate field on the Certificates tab.
Note
The Download Current OneTrust Certificate field and the Certificates tab only appear if the Sign SAML Requests setting is enabled. In addition, the Download Current OneTrust Certificate field is only visible when Manual is selected in the Setup Options field.
Go into your IdP and delete the new certificate.
Upload the previous version of the certificate into your IdP.
-
Locked out of tenant due to original certificate expiring
This issue occurs if the OneTrust Signed Certificate was not updated before the Old Certificate Expiration Date. In this instance:
-
Download the latest version of the certificate that corresponds to your OneTrust application environment. Upcoming OneTrust Signed Certificates can be downloaded directly from the OneTrust application. Navigate to the Certificates tab on the Single Sign-On screen in Global Settings and click the Download button in the Download Upcoming Certificate field.
Go into your IdP and upload the latest version of the certificate.
Step 3: Re-enable SSO
Re-enable SSO by clicking the gear icon 
to access Global Settings. On the menu, select and enable the Would you like to enable Single Sign-On? setting. For more information on configuring SSO, see Managing Single Sign-On (SSO).
