Certificate Expiration Awareness for SP-Initiated SSO with Zuora

This announcement informs customers of an upcoming certificate expiration affecting SP-initiated Single Sign-On (SSO). The update applies only to customers who have enabled SAML request certificate verification in their Identity Provider (IdP) configuration.

Why Identity Providers Validate SAML Signing Certificates

In an SP-initiated SAML SSO flow, Zuora acts as the Service Provider (SP) and signs authentication requests using its SAML signing certificate.

When "Require verification certificates" is enabled in your Identity Provider:

• The IdP validates Zuora's SAML request's signing certificate to ensure SSO requests originate from a trusted source-Zuora
  

• This confirms the authenticity and integrity of login requests from the Zuora OneID portal (one.zuora.com)
  

• It protects against impersonation, request tampering, and unauthorized access
  
  

The certificate referenced in this update is Zuora's SAML signing certificate, which the IdP uses to validate SP-initiated SSO requests.

This security measure strengthens SSO reliability and remains optional for customers who have not enabled certificate verification.

What's Changing

Zuora’s SAML signing certificate used for SP-initiated SSO will expire on January 8, 2026, based on the system’s local time zone settings.

Customers using SP-initiated SSO with certificate verification enabled must add Zuora's certificate to the certificate chain in the IdP configuration before this date to avoid authentication disruptions.

• The existing certificate will continue to function until January 8, 2026
  

• No changes are required unless certificate verification is enabled
  
  

This update improves certificate visibility and proactive management without impacting default or existing configurations.

When Is This Relevant?

This update applies only if both conditions are true:

• You are using SAML-based SP-initiated SSO (login via the Zuora OneID SSO login page)
  

• Your IdP is configured to require and validate the Service Provider signing certificate
  
  

If either condition is not met, this certificate expiration does not affect your SSO setup.

What Happens If the Certificate Is Not Updated?

If certificate verification is enabled and the certificate expires:

• SP-initiated SSO login requests from Zuora will fail
  

• The IdP will reject requests due to an invalid or expired signing certificate
  
  

Is This Mandatory?

Certificate rotation is required only if:

• You use SP-initiated SSO, and
  

• You have enabled "Require verification certificates" in your IdP
  
  

For all other customers:

• The update is optional
  

• Existing configurations continue to work without changes
  

• No breaking changes or forced updates are introduced
  
  

What Do You Need to Do?

• No action is required if certificate verification is not enabled
  

• If certificate verification is enabled:
  

• Review Zuora's certificate expiration date in your IdP
  

• Rotate the certificate on January 9, 2026
  

• Download and upload the new Zuora SAML signing certificate into your Identity Provider to complete the update

What's Next

Zuora will continue investing in enhancements that improve security, visibility, and administrator confidence-while preserving flexibility and backward compatibility.

If you have questions or need assistance with certificate management, please contact Zuora Support.

------------------------------
Bharath Marimuthu
Principal Product Manager
Zuora
------------------------------

Attachment(s)

Zuora SAML certificate.cer.zip   1 KB 1 version