Skip Navigation
Renewing an existing SAML certificate
Answer ID 5319   |   Last Review Date 05/17/2021

We have renewed our SAML certificate and need to implement the new certificate. How do we accomplish this?


Oracle B2C Service Administrator Portal


This can be accomplished through the Oracle B2C Service Agent Desktop. Please find the steps below, split into stages for ease of reference:

Obtaining the .PEM file from a new Certificate

 **Note: The certificate used in the saml response must be obtained from the external identity provider before following the steps below.  

  1. Double-click the new certificate file (.cer)
  2. Navigate to the "Details" tab
  3. Copy the Value of the Thumbprint field to your clipboard
  4. Select "Copy to File..."
  5. In the "Certificate Export Wizard" that opens, select "Base-64 encoded X.509 (.CER)"
  6. Select "Next >"
  7. Enter a unique filename (for instance, the previous certificate file name with the year appended)
  8. Save
  9. Select the resulting .CER file
  10. Right-click (or press F2) to rename the file
  11. Change the .CER extension to .PEM


Uploading the .PEM file into the Oracle RightNow CX Cloud Service Console

  1. Login to the Oracle RightNow CX Cloud Service Console with a user with administrative rights
  2. Navigate to Configuration -> Site Configuration -> File Manager
  3. On the proper interface, select "Additional root certificates" from the "Switch to" drop-down menu
  4. Select "Browse..." and upload the .pem file of the new certificate
  5. Add any comments you desire for record keeping and choose "Go"
  6. If you have an identity provider set up in the Single Sign-On Configurations componenet for your SSO implmentation, navigate to the Single Sign-On Configurations component and import the new signing certificate in the Identity provider to replace the old certificate
  7. Save your Identity Provider  


Modifying the SAML_20_SIGN_CERTS configuration setting

**Note: This is only required for Customer Portal implemented with SSO and SSO that is not setup under the "Single Sign-In Configurations" component in the agent console. 

  1. Login to the Oracle RightNow CX Cloud Service Console with a user with administrative rights
  2. Navigate to Configuration -> Site Configuration -> Settings (or click the "Configuration" tab if proceeding from the "Uploading" steps)
  3. Select "Common" from the menu
  4. Press "Ctrl-F" and search for "SAML_20_SIGN_CERTS" (or scroll down to the "Single Sign-On" section)
  5. Select "SAML_20_SIGN_CERTS"
  6. In the "Value (String)" text box, enter the thumbprint of the certificate into the list (or "Ctrl-V" and remove spaces if proceeding from the "Obtaining" steps), separated from previous certificate thumbprints with a comma 
  7. Highlight any previous certificate thumbprints from the "Value (String)" field and press "Ctrl-C" to copy them
  8. Paste the previous certificate thumbprint into the last line of the "Description" text box and include user and date of change for record keeping purposes
  9. Select "Update"


Testing validity of new certificates

  1. Login to the Oracle RightNow CX Cloud Service Console with a user with administrative rights
  2. Navigate to Configuration -> Site Configuration -> File Manager
  3. On the proper interface, select "Additional root certificates" from the "Switch to" drop-down menu
  4. Download previous certificates for backups by clicking the "file->disk" image
  5. Delete previous certificates by clicking the "red X" image
  6. Confirm the certificate is uploaded via Configuration -> Site Configuration -> Single Sign-on Configuration.  
  7. Click on the Identify Provider under the SAML tab. 
  8. Click SAML Token Parameters -> Certificates and use the folder icon to upload the same certificate.
  9. If the site uses SSO on customer portal, the SAML_20_SIGN_CERTS needs to be updated with the fingerprint from the certificate (without the colons)
    1. Click Configuration -> Site Configuration -> Configuration Settings.
    2. When the pop up appears, put SAML_20_SIGN_CERTS in the "key" field and click search
    3. Verify any previous certificate thumbprints have been documented in the "Description" text box
    4. In the "Value (String)" text box, highlight any previous certificate thumbprints and delete them.  Click on that Value text box to put in the new value.Edit a configuration setting
    5. Select "Save" in the ribbon
  10. Test
  11. Replace certificates and thumbprints from backups as necessary



Certificates expire and must be renewed. Please note that while Oracle B2C Service can have many certificate entries, only a single valid certificate is used with SAML.


If the signing certificate in the assertion contains chain (intermediate) certificates, those also must be uploaded into File Manager as well. An easy way to determine if your signing certificate contains a chain is to open the .cer file on your desktop.  If the 'Issued to;' and 'Issued by:' do not match on the 'General' tab, you will need to upload the intermediate certificates into the File Manager.  The full certificate chain should be available on the 'Certification Path' tab on the .cer file.  If the full chain is not shown on the 'Certification Path', you will need to contact your Identity Provider to get the intermediate certificates.  You can double click on the intermediate certifictes on the 'Certification Path' tab and follow the steps noted in the first section above to obtain the .PEM.  The intermediate certificates can be uploaded under "Additional root certificates" or "Intermediate certificates". Also please be aware that all uploaded certificates must be valid. If any invalid (such as expired) certificates are encountered during the SSO authentication process the authentication will fail.

In a scenario where you are renewing an existing self-signed certificate: if the issuer/subject is the same on the new certificate as on the expiring certificate then the public keys must also match. If there are two self-signed certificates for the same subject with different public keys in the file manager, the application will not trust either of them. In this case (wherein your identity provider is rekeying the certificate) you should wait to upload the new certificate via the file manager until the time that the IdP starts using it to sign the assertions, and backup and remove the old certificate at that time.

If you are unsure how to obtain the signing certificate to begin with, consult the documentation for your identity provider. For example: in Oracle Identity Cloud Service, it can be obtained through that product's REST API. Alternatively, your organization may choose to use a certificate purchased from a certificate authority. Consult your IT or security team to understand the impact of the choice of using a self-signed certificate versus a traditional purchased certificate. Since the end-user's browser does not have to trust the certificate, it is common (but not universal) to use a self-signed certificate for SAML authorization.

Oracle B2C Service Overview of SAML 2.0 Open Login