topic Re: Splunk SSO Renewal Azure in Splunk Enterprise

Splunk SSO Renewal Azure

viku7474 — Fri, 12 Sep 2025 08:17:55 GMT

Our Splunk SSO Azure certificate is about to expire, and we need to renew new certificate in Splunk.

We have a 3 SHC machine.

I have placed the new IDP Cert inside etc/auth/idpcert/ dir, and clicked on reload authentication configuration.

The certificate did not replicate.

I have placed the new IDP Cert manually on all the 3 SHC's inside etc/auth/idpcert/ dir, and did the rolling restart.

After the restart, somehow it took the old IPD Certificate. (Checked via Openssl Command)

I have taken the backup and moved the old certificate to a different directory but when I manually place the new IDP Cert, and do a restart, it is reflecting with old cert.

Any ways to fix this issue to renew the new cert?

I don't see Metadata XML configured at the first place. So unsure if we need to install metadata XML or IDP Cert.

Re: Splunk SSO Renewal Azure

livehybrid — Sat, 13 Sep 2025 18:23:46 GMT

Hi @viku7474

The recommended/documented process for this is to upload the SAML cert using the UI:

From the system bar, select Settings > Authentication Methods.
In the External section of the page that appears, select SAML.
Select the Configure Splunk to use SAML link that appears.
In the SAML configuration page, under IdP certificate chains, paste the contents of the IdP certificate chain into the text field.
Select Save to close the configuration page.
In the Authentication Methods page, select Reload authentication configuration.

Please could you try this approach and let me know how you get on? You can find out more info at https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.3/use-saml-as-an-authentication-scheme-for-single-sign-on/refresh-expiring-saml-identity-provider-certificates

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Splunk SSO Renewal Azure

PickleRick — Sat, 13 Sep 2025 18:51:57 GMT

Unfortunately, clustered search head environment is known (since at least 8.2) to have issues with certs getting wrongly replicated across the members causing the old certs to persist.