Breadcrumbs

Replacing Entra SAML SSO signing certificate

When you set up a SAML 2.0 SSO method in AppsAnywhere, a certificate is generated by your Identity Provider (IdP) and configured in AppsAnywhere. This creates a trust between AppsAnywhere and your IdP, and this certificate is used to sign the SAML assertions provided by the IdP to prove to AppsAnywhere that your users have authenticated. These certificates will expire and must be replaced by a new certificate to ensure your users can continue to log in to AppsAnywhere via SAML SSO.

This guide walks through how to replace your SAML IdP signing certificate when using Entra ID for AppsAnywhere SAML SSO.

For customers using an alternative SAML 2.0 identity provider, you can follow this guide, but replace steps 1 and 3 with the correct process for your identity provider.

1. Create a new certificate in Entra

  1. Go to Microsoft Entra IDEnterprise applications

  2. Locate the Enterprise application that you have created for AppsAnywhere SAML single sign-on

  3. Go to Single sign-on

  4. Ensure you are on the SAML-based Sign-on screen

  5. Under the SAML Certificates section:

    1. Click Edit

    2. Click New Certificate

    3. Set the new certificate expiry as required

    4. Click Save

  6. Download the new certificate via the three-dot menu → Base64 certificate download

Important: Do not click Make this certificate active yet. Doing this now will cause your AppsAnywhere SAML logins to fail.

2. Update the Identity Provider Certificate used by your AppsAnywhere SAML SSO method

In AppsAnywhere Admin:

  1. Go to Settings → Single Sign-On

  2. Open your Entra SAML 2.0 configuration

  3. Locate the Identity Provider → Certificate (X.509) setting

  4. Replace the existing certificate with the new Base64 certificate you downloaded from Entra in step 1.

  5. Click Save

:warning:

Once the new certificate is set in AppsAnywhere, SAML logins will now fail until you have completed step 3 below.

3. Activate the new certificate in Entra

Now return to Entra:

  1. Go to Microsoft Entra IDEnterprise applications

  2. Locate the Enterprise application that you have created for AppsAnywhere SAML single sign-on

  3. Go to Single sign-on

  4. Ensure you are on the SAML-based Sign-on screen

  5. Under the SAML Certificates section:

    1. Click Edit

    2. Locate the new certificate you created in step 1

    3. Make the new certificate active via the three-dot menu → Make certificate active

Entra starts signing SAML responses with the new certificate immediately.

4. Test immediately

  • Launch AppsAnywhere

  • Perform Entra SAML SSO login

  • Confirm authentication succeeds

If login fails at this stage, it indicates AppsAnywhere is still using the old certificate.

Rollback

If you need to roll back and your old certificate is still valid, you can revert the change by repeating steps 2-3 with your old certificate to make this the active one again.