Q: What is SAML signing?

A: SAML signing certificates are X.509 certificates used to verify data sent between the Service Provider (SP) and SAML provider (IdP). Your SAML provider (IdP) uses the Citrix Cloud SAML signing certificate to verify the signature sent by Citrix Cloud within its SAML authentication request.

Q: Why have I received a notification via email and within the Citrix Cloud admin console indicating that the current Citrix Cloud SAML signing certificate is about to expire and must be replaced?

A: SAML providers (IdP) require a valid and in date certificate to verify the signature of incoming SAML requests from service providers (SP) such as Workspace and the Citrix Cloud administrator console. Citrix Cloud customers using SAML for Workspace and/or Citrix Cloud admin console logon have been contacted to advise them of an imminent SAML signing certificate rotation.

Q: How do I know if my Citrix Cloud customer is affected by the Citrix Cloud SAML signing certificate rotation or not?

A: This will affect Citrix Cloud customers with the following SAML configuration.

1. Your SAML connection within Citrix Cloud is configured with Sign Authentication Requests = Yes
2. You have configured your SAML provider such as Azure Active Directory or ADFS to reject unsigned SAML requests.
3. You have Single Logout (SLO) configured within your Citrix Cloud SAML connection and within your SAML provider. Your SAML provider may require SLO requests to be signed.

Q: How do I check the current configuration of my Citrix Cloud SAML connection?

A: Navigate to Identity and Access Management > SAML 2.0 > View to check if you have Sign Authentication Requests enabled within your Citrix Cloud SAML connection. All new SAML connections within Citrix Cloud will default to Sign Authentication Requests = Yes.

Rotate the Citrix Cloud SAML signing certificate used by ADFS relying party trust ​​​​​​​