Skip to main content

Certificate management for SAML single sign-on

View our security recommendations

Your team security and user provisioning settings may vary depending on your team size. Before setting up your team, we therefore recommend that you choose a coupling approach and relevant settings.

For more information, view our Celonis Platform security recommendations and best practice: Security recommendations

Manage your SAML single sign-on (SSO) certificates to maintain secure authentication tokens between your Identity Provider (IdP) and the Celonis Platform.

To satisfy corporate security governance and prevent user authentication lockouts, particularly for high-volume operational systems like Procurement or Order-to-Cash, you must align your certificate management method with your organization's IT compliance policies.

Certificate Management Method

Functional Utility

Governance Application

Self-signed

Celonis automatically generates and signs the certificate. Valid for two or more years.

Best for rapid deployment or non-production environments that do not require external Certificate Authority (CA) validation.

Signed with user-provided certificate

Team administrators manually generate, sign via an external CA, and upload the certificate. The uploaded certificate domain must match your Celonis team domain. For example: myteam.eu-1.celonis.cloud

Mandated for enterprises requiring custom certificate expiry dates, specific cryptographic security settings, and centralized CA oversight.

Automatically regenerate certificate before expiry

Celonis automatically renews the certificate on the final Saturday before expiration and sends an email notification to platform administrators.

Minimizes operational maintenance and prevents unexpected system downtime due to expired security tokens.

Related topics