Documentation Index

Fetch the complete documentation index at: https://docs.document360.com/llms.txt

Use this file to discover all available pages before exploring further.

Managing SSO certificates

  • Published on Jun 19, 2026
  • 2 minute(s) read
Prev Next

You can view certificate expiry information and download your SAML certificates directly from the SSO Configuration page. These features help you manage certificate renewals proactively and ensure uninterrupted SSO authentication.

Why certificate management matters

Document360 uses an X.509 certificate to validate SAML assertions from your Identity Provider. This certificate has an expiry date. When it expires, SSO authentication will fail immediately for all users and no one will be able to log in using SSO until the certificate is updated.

Monitoring your certificate expiry and renewing it before it expires prevents unexpected access disruption for your entire team.

Certificate expiry banner

When a certificate is 15 days or less from expiry, a SAML Certificate Rotation Notice banner appears at the top of the SSO Configuration page. The banner displays the exact expiry date and is visible only to users with permissions to configure SSO.

To access the SSO Configuration page:

  1. Navigate to Settings () > Users & permissions > SSO Configuration.
  2. If a certificate is close to expiry, the banner will be displayed above the SSO configuration list.
SAML Certificate Rotation Notice banner displayed on the SSO Configuration page with a Download certificate button.

Downloading the SSO certificate

You can download the Document360 SSO certificate directly from the banner on the SSO Configuration page.

  1. Navigate to Settings () > Users & permissions > SSO Configuration.
  2. Click Download certificate in the banner.
  3. The certificate is downloaded in .cert format to your local system.

This certificate is required when renewing SSO in your Identity Provider, especially for Identity Providers that cannot read the certificate automatically from metadata.

NOTE
  • Downloading the Document360 certificate does not affect your existing SSO configuration. It is needed only when renewing the certificate on your Identity Provider.
  • Each certificate download event is recorded in Settings () > Team auditing, including the timestamp and the admin user who performed the action.

Viewing certificate expiry from the SSO configuration panel

You can also view the certificate expiry date from within an individual SSO configuration. Click an existing SSO configuration to open the configuration panel. In the IdP configuration section, the expiry date is displayed below the certificate information.

Best practices

  • Act on the banner immediately. The 15-day warning banner is your signal to begin the renewal process in your Identity Provider. Do not wait until the certificate expires — SSO will fail for all users the moment it does.
  • Download the certificate before updating your IdP. Some Identity Providers cannot read the new certificate automatically from metadata. Download it from Document360 first and upload it manually to your IdP.
  • Use Team auditing to track certificate activity. Every certificate download is logged with a timestamp and the admin who performed it. Use this to maintain a record of when certificates were last rotated.
  • Verify your IdP is using the correct certificate. The untrusted key error and invalid signature errors both indicate a mismatch between the certificate in Document360 and the one active in your IdP. After rotating a certificate, confirm both sides are in sync before notifying users.
Related articles
  • SAML
    User & reader management > Single Sign-On (SSO) > SAML
  • SAML SSO with ADFS
    User & reader management > Single Sign-On (SSO) > SAML
  • SAML SSO with Okta
    User & reader management > Single Sign-On (SSO) > SAML