Certificate expiry when using Azure AD to federate with AWS SSO

I must have set up Azure AD to federate into AWS SSO about 3 years ago, as my certificate is about to expire.

I received the following helpful email from Microsoft:

In order to refresh the certificate I need to login to Azure, https://portal.azure.com and select Azure Active Directory (shortly to be renamed Microsoft Entra ID).

Next select ‘Enterprise Applications’:

Then find the Application that you created for AWS SSO. Mine is called ‘AWS SSO’:

Go to the SAML Certificates pane and click ‘Edit’:

Click on ‘New Certificate’:

Don’t forget to save!

Be wary about which certificate is Active and which is Inactive – this status is really important. Do not change over until the new certificate is imported into AWS SSO (AWS IAM Identity Center) – later in this walk-through:

Click the ‘…’ by the Inactive (new) certificate and then select PEM certificate download:

Save the file created on your computer, you’ll need it shortly over in the AWS console.

Switch to AWS and go to the IAM Identity Center service (formerly AWS Single Sign-On):

Because I had the Ireland (eu-west-1) region selected in the console, I get this handy warning:

So switch over to the correct region.

AWS also warns me in IAM Identity Center that the certificate is close to expiry. Click on the ‘Manage certificate’ on the warning, or alternatively select Settings on the left panel, followed by ‘Identity source’ tab and ‘Actions’ then ‘Manage authentication’.

Select ‘Import Certificate’:

The following prompt will appear if the certificate file (PEM) is valid, click on ‘Import certificate’:

You will now see the old certificate and the new one side-by-side in the AWS console:

Now back in the Azure portal make the new certificate active by clicking the ‘…’ next to the new certificate that’s currently inactive, and select ‘Make certificate active’:

You should get a success pop-up message, after which you should test that SSO is working (logout first) and then tidy up the old certificates by deleting them.

Just as a final note, if you have multiple users active via SSO it will be best to actually switch the certificates out of hours.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.