Process – How to Renew the SSO SAML Certificate in FreshService via Entra ID
Every 3 years, the SSO SAML Certificate expires and needs to be replaced with a new one. This Process documents the process in doing this. A notification email from Entra ID will be sent to cybersecurity@mariecurie.org.uk close to the expiry date. Please bear in mind that this process is up to date as of 27/08/2025 and could be slightly different the next time this is done.
- Go to Azure -> Entra ID -> Enterprise Apps -> MC Security Services SSO (Production) - GE50 MC Security Services SSO (Production) - GE50 - Microsoft Entra admin center
- Go To Single Sign-On
- Scroll down to 3 – SAML Certificates
- Click on Edit
- Click on “New Certificate”
- Use the following settings:
- Signing Option – “Sign SAML Assertion”
- Signing Algorithm – “SHA-256”
- Click Save
- The new SAML Signing Certificate is now generated. You need to do the following:
- Click on the 3 dots next to the new certificate
- Now download the certificate by clicking on “Base64 certificate download”
9. Open the downloaded certificate with NOTEPAD, and keep this open for later.
- Go to Freshservice Admin page Freshworks - Login
- Click on Security -> Default Login Methods
- Scroll down to SSO Login then click on the 3 dots next to “Azure AD (using SAML)” then “Edit SSO”
- Scroll down to Certificate (Base 64)
- Go back to the Notepad with the opened certificate and copy everything between “-----BEGIN CERTIFICATE-----” and “ -----END CERTIFICATE-----”
- Go back to the Freshservice SSO Setup page and paste the new certificate information in Certificate (Base 64)
16. Click on “Configure SSO” to save
- Go back to the SAML Certificates Edit page in Entra ID
- Click on the 3 dots next to the new certificate, then click on “Enable” then “Yes” on the disclaimer
19. The SSO SAML Certificate is now updated. Log out and back in to test SSO functionality to confirm.
Useful links:
https://support.freshworks.com/support/solutions/articles/50000002354