Certificate management for SAML single sign-on
View our security recommendations
Your team security and user provisioning settings may vary depending on your team size. Before setting up your team, we therefore recommend that you choose a coupling approach and relevant settings.
For more information, view our Celonis Platform security recommendations and best practice: Security recommendations
Manage your SAML single sign-on (SSO) certificates to maintain secure authentication tokens between your Identity Provider (IdP) and the Celonis Platform.
To satisfy corporate security governance and prevent user authentication lockouts, particularly for high-volume operational systems like Procurement or Order-to-Cash, you must align your certificate management method with your organization's IT compliance policies.
Certificate Management Method | Functional Utility | Governance Application |
|---|---|---|
Self-signed | Celonis automatically generates and signs the certificate. Valid for two or more years. | Best for rapid deployment or non-production environments that do not require external Certificate Authority (CA) validation. |
Signed with user-provided certificate | Team administrators manually generate, sign via an external CA, and upload the certificate. The uploaded certificate domain must match your Celonis team domain. For example: | Mandated for enterprises requiring custom certificate expiry dates, specific cryptographic security settings, and centralized CA oversight. |
Automatically regenerate certificate before expiry | Celonis automatically renews the certificate on the final Saturday before expiration and sends an email notification to platform administrators. | Minimizes operational maintenance and prevents unexpected system downtime due to expired security tokens. |