If your organization uses Single Sign-On (SSO) with FMX, your SSL/TLS certificate ensures secure communication between your identity provider (IdP) and FMX. Expired or invalid certificates can interrupt SSO functionality, so planning ahead for certificate renewal is critical. 

This guide walks you through best practices for SSL certificate renewal in a step-by-step, easy-to-follow format.

1. Understand Why SSL Certificates Matter for SSO

  • SSL certificates encrypt authentication traffic between your IdP (like AD FS or Azure AD) and FMX.

  • If your certificate expires, users will not be able to authenticate via SSO, resulting in login failures.

  • Renewal should always happen before the certificate expires to avoid service disruptions.

2. Identify Your SSL Certificate Details

  1. Log in to your IdP administration console:

    • For AD FS, open the AD FS Management snap-in.

    • For Azure AD, check the SAML Signing Certificate under the enterprise application configuration.

  2. Locate the current certificate used for SSO:

    • Expiration date

    • Thumbprint / Fingerprint

    • Certificate authority

Tip: Keep a screenshot or note of these details for reference.

3. Plan Certificate Renewal Timeline

  • Start renewal 30–60 days before expiration to allow time for testing.

  • Coordinate with your IT/security team to ensure any dependencies (like AD FS servers) are accounted for.

  • If you are using AD FS, you can generate a new token signing certificate without impacting current users.

4. Renew the Certificate in Your IdP

A. For AD FS (On-Premise)

  1. Open AD FS Management → Service → Certificates.

  2. Click Set Service Communications Certificate and select your new certificate.

  3. Ensure the new certificate is trusted by all IdP servers in your federation.

  4. Open Relying Party Trusts → Edit Claim Rules → Certificates and make sure the new certificate is applied for signing.

B. For Azure AD / Enterprise Applications

  1. Log in to Azure Portal → Enterprise Applications → Your FMX Application → Single sign-on → SAML Signing Certificate.

  2. Click New Certificate or Update Certificate.

  3. Upload or generate the new certificate and save changes.

  4. Download the Federation Metadata XML and save it for FMX.

5. Update FMX with the Metadata

  • Provide FMX with the updated App Federation Metadata URL if it has changed by sending an email to support@gofmx.com.

6. Test the Renewal

  • Test login with several user accounts, including different user types and roles.

  • Confirm all building access, user types, and claims are being applied correctly.

  • For AD FS, check the Event Viewer → AD FS Logs to verify no authentication errors occur.

7. Maintain Ongoing Best Practices

  • Document expiration dates and set calendar reminders for next renewal.

  • Keep a backup of the previous certificate for rollback if issues arise.

  • If you have multiple IdP servers, ensure the certificate is updated on all servers simultaneously.

  • Consider enabling automatic renewal notifications if your certificate provider supports it.

8. Troubleshooting Common SSL Certificate Issues

  • Issue: Users cannot log in via SSO
    Recommended Action: Verify the certificate has been updated in the IdP and FMX.
  • Issue: Token signing errors in AD FS
    Recommended Action: Ensure the new certificate is marked as primary in AD FS.
  • Issue: Federation metadata not syncing
    Recommended Action: Confirm the Federation Metadata URL points to the latest certificate.
  • Issue: Browser SSL warnings
    Recommended Action: Confirm the certificate is trusted and correctly installed on the IdP.

By following these best practices, you can ensure FMX SSO remains secure and uninterrupted during SSL certificate renewals. When submitting a support case, please include the relevant metadata URL and confirm your FMX hostname, along with whether you are using WS-Fed or SAML2 (if known).

Was this article helpful?

  • 0 out of 0 found this helpful