Skip to page contentSkip to chat
ServiceNow support
    • Community
      Ask questions, give advice, and connect with fellow ServiceNow professionals.
      Developer
      Build, test, and deploy applications
      Documentation
      Find detailed information about ServiceNow products, apps, features, and releases.
      Impact
      Accelerate ROI and amplify your expertise.
      Learning
      Build skills with instructor-led and online training.
      Partner
      Grow your business with promotions, news, and marketing tools
      ServiceNow
      Learn about ServiceNow products & solutions.
      Store
      Download certified apps and integrations that complement ServiceNow.
      Support
      Manage your instances, access self-help, and get technical support.
How to safely self-update your IDP certificate when Multi SSO and avoid "IDP Certificate Mismatch" from occurring - Support and Troubleshooting
  • >
  • Knowledge Base
  • >
  • Support and Troubleshooting (Knowledge Base)
  • >
  • How to safely self-update your IDP certificate when Multi SSO and avoid "IDP Certificate Mismatch" from occurring
KB0679991

How to safely self-update your IDP certificate when Multi SSO and avoid "IDP Certificate Mismatch" from occurring


9885 Views Last updated : Aug 24, 2022 public Copy Permalink English (Original)
  • English (Original)
  • Japanese
KB Summary by Now Assist

Issue

Several Identity providers (IdP) servers (for example, ADFS) could change the active certificates 2-4 weeks before the certificate expires, causing alerts and authentication errors on your Multi-SSO configuration. Once the certificate changes, you will need to update all the instances to avoid SSO authentication errors when users are trying to log in.

Symptoms

You know you can self update your SSO certificates because

  • You have the Multi SSO plugin installed.
  • Your IdP metadata URL is accessible from the instance.
  • Users received an error message when trying to log in and they are sent to a logout page.
  • System logs show an "IDP Certificate Mismatch" error when users are trying to log in.
  • Once the instance SAML certificate is updated by the one provided by the IDP, the users are able to log in once again.

Cause

Your Idp has changed the signing certificate and the instance can not confirm the SAML requests received from the IdP.

Resolution

From the Kingston release, there is a scheduled job "Refresh MultiSSO IDP Metadata" that could fetch the IdP metadata from the IdP metadata URL set on the IdP record and update its certificates automatically.

To allow the system to automatically refresh the certificates from the IdP metadata, you need to ensure the Idp metadata URL is accessible from the instance. If that is not the case, you will need to continue updating the certificate manually every time the Idp changes them.

If you have an accessible metadata URL, you need to perform the followings:

  1. Open the IdP record on the list view (NOT from the menu named Identity providers but on the SAML2 table):
    e.g. <instance>/saml2_update1_properties_list.do?sysparm_query=

    Ensure the IDP is active and set the "IDP Metadata URL" (saml2_update1_properties.idp_metadata_url) to the URL that point to the IDP metadata (which contains the signing certificates).
    For ssocircle it's "https://idp.ssocircle.com/"

    Set the URL to retrieve the IdP metadata

  2. Ensure the Scheduled Script Executions "Refresh MultiSSO IDP Metadata" is active and running every 30 minutes:
    <instance>/sysauto_script_list.do?sysparm_query=name%3DRefresh%20MultiSSO%20IDP%20Metadata

    Scheduled script executions active

  3. Validate the scheduled job is executing correctly. You will see the certificates are updated every 30 minutes.
 Note: The update could retrieve both your encryption and signing certificates. However, Multi SSO only uses the signing certificates.

 

Related Links

These are a few references regarding the IdP metadata URLs:

  • For SSO Circle, the metadata is found here: https://idp.ssocircle.com/
  • For OKTA, the generic format of the SAML metadata url is: https://[okta_org_url].okta.com/app/[app_id]/sso/saml/metadata
  • For ADFS, the metadata is usually on https://<adfs URL>/FederationMetadata/2007-06/FederationMetadata.xml
  • For Azure, https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml

Please contact your IdP administrators to validate the correct metadata URL required.


The world works with ServiceNow.

Sign in for more! There's more content available only to authenticated users Sign in for more!
Did this KB article help you?
Did this KB article help you?

How would you rate your Now Support digital experience?

*

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

What can we improve? Please select all that apply.

What are we doing well? Please select all that apply.

Tell us more

*

Do you expect a response from this feedback?

  • Terms and conditions
  • Privacy statement
  • GDPR
  • Cookie policy
  • © 2025 ServiceNow. All rights reserved.