Posted on: Fri, 07 Nov 2025
Resolved on: Fri, 07 Nov 2025
ZPA: Informational - Addition of New User SSO Service Provider Signing Certificate (SHA256)
Status: Resolved
Event Type: Informational

Description:

Zscaler has added a second User SSO Service Provider (SP) signing certificate (SHA256) to enhance security. This is in addition to the existing SHA1-based certificate, which many customers currently use.

Zscaler wants to assure customers that the existing SHA1-based certificate is not being deprecated and we support customers using both certificates.

The new SHA256 certificate can be chosen in the existing IdP configuration with the name: "ZPA User SSO Service Provider Certificate - Feb 2 08:51:12 2038 GMT".

Due to this addition, the SP metadata API (/auth/metadata) will now respond with both the SHA1 and SHA256 certificates supported by the SP.

 

Does this affect me?

This change does not affect the following capabilities that your organization might have enabled::

  • Manual downloads of the SP signing certificate from the ZPA Admin UI and uploads to your Identity Provider (IdP).
  • Does not require signed SAML authentication requests (i.e., your configuration is "Unsigned").
  • Your IdP automatically syncs the SP certificate using the metadata URL and IdP have the capability to sequentially use multiple certificates served to validate a signed SAML Auth request

This change does affect configurations if your organization's IdP automatically syncs the SP certificate using the metadata URL and IdP does not have the capability to sequentially use multiple certificates served to validate a signed SAML Auth request.

Note: A quick way to tell if your organization is affected is if the new Zscaler Client Connector logins fails.

 

What are the next steps?

  • If your organization or customers are NOT affected, no action is required.
  • If your organization or customers ARE affected, IdP auto-syncs the SP cert and cannot sequentially validate both certificates), take one of the following actions to prevent potential authentication issues:
    1. Disable the auto-sync feature in the IdP and manually add the User SP signing certificate that is configured in the ZPA Admin UI against the IDP
    2. Alternatively, update IdP's trust store to manually remove the newly added SP certificate that was automatically synced to Customers IdP.

 

Additional information

To learn more about the IdP configuration, see ZPA: IdP Configuration in the Zscaler Help Portal or Help Browser in the ZPA Admin Portal.