Rotate InVision SAML certificate
  • 18 Mar 2024
  • 2 Minutes to read
  • Dark

Rotate InVision SAML certificate

  • Dark

Article summary

InVision supports single sign-on (SSO) via SAML. In accordance with security best practices, InVision's service provider SAML certificate expires every two years. If a customer's identity provider requires it, customers must update their identity provider with InVision's new service provider SAML certificate before expiry to continue using SSO.

If customers do not switch to InVision's new SAML certificate before expiry, and the identity provider requires service provider SAML certificate rotation, users won't be able to use SSO to sign in to InVision. 

SAML certificate rotation is typically done by your organization's identity provider (IdP) administrator, which may be your system administrator, security administrator, or IT department.

InVision supports the following identity providers: Okta, OneLogin, Ping, ADFS, and Azure. If you're using one of these supported providers with an InVision app in the application gallery or other IdP-supported automatic rotation, continue to Rotate with a supported identity provider.

If you use a custom identity provider or one of the supported identity providers without using a gallery app or automatic rotation, skip to Rotate with a custom identity provider.


While we make every effort to inform our customers of the need to rotate our service provider SAML certificate, it is the customer’s responsibility to determine if it is necessary.

Rotate with a supported identity provider

InVision supports the following identity providers: Okta, OneLogin, Ping, ADFS, and Azure.

If you’re accessing InVision from the app gallery of Okta, OneLogin, Ping, or Azure, no manual certificate update should be required.

If you're using ADFS and configured it to use InVision’s metadata URL in the federated metadata address, it should not be necessary to manually rotate the service provider SAML certificate. 

Rotate with a custom identity provider

If your organization has a custom identity provider (IdP), you may need to manually rotate to InVision's new SAML certificate, especially if traffic is encrypted with identity provider and service provider certificates.

When accessing your organization's SAML metadata, it will display information for four certificates in the following order:

  • InVision's current expiring encryption certificate
  • InVision's current expiring signing certificate
  • InVision's new encryption certificate
  • InVision's new signing certificate

Depending on your circumstances, you may need both the encryption and signing certificate information. Ensure you import the information for InVision's new certificates, which are the third and fourth ones listed.

  1. Go to
  2. Locate the information for InVision's new encryption and signing certificates, which are the third and fourth ones listed.

  1. In the X509Certificate element, copy the element text.
  2. Add the copied text to your IdP.

Maintain access with a backup sign in method

If your organization's security standards allow for non-SSO sign in, and to ensure uninterrupted access to InVision, we recommend turning on sign in with email and password. If your organization does not rotate its certificate in time, users will still be able to sign in to InVision. If you're unsure if you need to rotate, turning on this setting is a good option to prevent being locked out.

You must be an admin or owner on your team to turn on this setting.

  1. Sign in to your organization.
  2. In the lower-left corner, select [Your Team Name] > Settings.
  3. Select Single sign-on.
  4. Scroll to the bottom of the screen and turn on Allow users to sign in without SAML.
  5. Select Update.

Members of your organization can now sign in with either SSO or their email and password. Once your organization rotates its SAML certificate, turn off this setting to only allow sign in with SSO.

Was this article helpful?