On This Page


SAML Apps and SHA256 Certificates

Certificates with a SHA256 signature are supported for SAML 2.0 applications with Okta. You can create new integrations that use SHA256 certificates and update existing integrations from SHA1 certificates to SHA256 certificates. Existing integrations are not changed automatically. The SHA256 certificates and the SHA1 certificates are self-signed.

Why Should I Do This?

To take advantage of the additional security features of SHA256 certificates.

New SAML 2.0 App Integrations

New SAML 2.0 app integrations automatically use SHA256 certificates. As instructed, upload the SHA256 certificate to the ISV.

Existing SAML 2.0 App Integrations

To update existing app integrations, there are four steps to follow.

  1. List your apps and get the app id, name, and label for each app to update.
    For each app to update, perform the following steps.
  2. Generate a new application key credential.
  3. Update the key credential for the app to specify the new signing key id.
  4. Upload the new certificate to the ISV. (This step cannot be automated.)

Important: After you complete the first three steps, your users cannot access the application until Step 4 is completed.

Determine the Signature Algorithm of a Certificate

You can find the signature algorithm of a certificate either by using the command line or by uploading your certificate to a free, online certificate decoder service.

If you have OpenSSL installed, from the command line run:

openssl x509 -text -noout -in <your certificate>


<your certificate> is the certificate filename relative to the current directory. The certificate must be in PEM format. Use a plain text editor like Notepad or Textedit to save the certificate text from the x5c element returned from an API call, and add the Begin Certificate and End Certificate lines with the hyphens to the top and bottom of the file, as shown below. Trailing white spaces, such as a space or carriage return, at the end of the file make the certificate invalid. (The certificate shown below has been altered and is not valid.)


Use a free CSR and Certificate Decoder service and enter the contents of your certificate. These tools are readily found through a web search. Be sure to note the certificate format that the decoder service requires.

The Signature Algorithm is either sha256WithRSAEncryption or sha1WithRSAEncryption.

Obtaining the Certificate for an App from a URL

You can obtain the current certificate for an app from the following URL:

https://<your org subdomain>-admin.okta.com/admin/org/security/<application id>/cert


<your org subdomain> is your organization's Okta subdomain.

<application id> is the application ID you used in Step 1.

Note: Certificates downloaded with this method contain the Begin Certificate and End Certificate lines.


If you need help or have an issue, post a question on the Okta Developer Forum (opens new window).