I'm managing over 120 SaaS applications that utilize single sign-on (SSO) through Entra. Most of these applications rely on certificates, while some use secrets. With 2-3 year renewal cycles for these credentials, I'm averaging about 3-4 renewals each month. Some service providers allow me to manage SSO through their admin portal, but others require me to open a ticket for renewals since they don't offer that option. Some need my federation XML URL, while others require a direct copy of the XML file, and a few even ask for the certificate itself. To keep track, I created a script that queries my SSO applications for certificates and secrets that will expire within 90 days, listing them by date so I know what needs renewing soon. I'm curious about how others are managing SSO for their SaaS applications. Is there a more efficient or automated way to handle this?
2 Answers
Honestly, we just wait until it breaks! 😂 It's the most effective alarm system when an end user runs into the issue.
r/scream_test
Are you talking about app registrations? Because enterprise SAML apps actually have built-in email notifications for expiring certs. There's also a preview feature in Entra that shows recommendations for expiring application credentials, plus you can enable email alerts there. For automation on the vendor side, unless they provide an API, you're likely stuck doing manual work since many vendors won’t let you handle updates yourself. It's really unfortunate, but SSO standards aren't always applied consistently across vendors. Hope you have good documentation for each vendor's requirements!
Thanks for the tip about the app credentials expiration notices! I wasn't aware of those features, and it seems like every vendor has their unique way of implementing SSO.
No better alarm than an end user finding the issue!