Overview
SAML signing certificates are used by your Identity Provider (IdP) to sign assertions. Fabriq relies on these certificates to validate incoming SAML responses and ensure they are trusted.
When your IdP rotates its signing certificate, Fabriq must trust the new certificate as well. Whether this happens automatically or requires manual action depends on how your SSO configuration is set up in Fabriq.
Fabriq supports 2 setups:
Dynamic (metadata URL): automatic certificate rollover, with an option to refresh on demand
Static (pasted XML metadata): manual update required
How To Identify Your Configuration
In Fabriq, go to:
Organization Settings -> Security -> SSO
Look at the Signing certificates card:
If it says Managed from metadata URL, your setup is dynamic
If it says Managed from pasted XML metadata, your setup is static
1. Dynamic Setup: Metadata URL
If Fabriq is configured with a metadata URL pointing to your IdP's metadata endpoint, certificate rollover is handled automatically.
Fabriq periodically fetches the metadata and updates trusted signing certificates from the <ds:X509Certificate> elements.
Why this is recommended
This is the preferred setup because it:
reduces manual work during certificate rotation
supports zero-downtime rollover when your IdP publishes overlapping certificates
is compatible with providers such as Microsoft Entra ID that can expose multiple certificates during transition
Automatic sync schedule
Fabriq polls the metadata URL every 6 hours, anchored at midnight UTC:
UTC | CET (UTC+1) | CEST (UTC+2) |
00:00 | 01:00 | 02:00 |
06:00 | 07:00 | 08:00 |
12:00 | 13:00 | 14:00 |
18:00 | 19:00 | 20:00 |
Manual refresh
You can also trigger a refresh on demand from:
Organization Settings -> Security -> SSO -> Signing certificates -> Refresh certificates
This immediately fetches the latest metadata and updates the trusted signing certificates, so you do not need to wait for the next scheduled sync.
Important considerations
If your IdP rotates just after a scheduled sync, Fabriq may continue using the previous certificate until the next automatic refresh unless you trigger a manual refresh.
To avoid authentication failures:
rotate the certificate before the old one expires, with enough overlap
enable your IdP's dual-certificate / overlap mode whenever possible
or use Refresh certificates immediately after the rotation
2. Static Setup: Pasted XML Metadata
If Fabriq is configured using pasted XML metadata, the signing certificate is stored statically.
Fabriq does not automatically detect certificate changes in this setup. You must manually update the metadata whenever your IdP rotates its certificate.
Update procedure
Rotate the SAML signing certificate in your IdP
Export the updated metadata XML
In Fabriq, go to
Organization Settings -> Security -> SSOEdit the SSO configuration
Replace the existing XML with the updated metadata containing the new
<ds:X509Certificate>Use the SSO test flow to validate the configuration
Save the configuration
About the test flow
The SSO test flow:
runs a real SP-initiated SAML login
does not terminate your current session
helps validate the configuration before applying it
For static XML setups, testing alone does not update stored certificates. The new XML must still be saved to take effect.
Key Takeaway
If you want the lowest-maintenance setup, use a metadata URL configuration. It gives you automatic certificate rollover and lets you trigger an immediate refresh when needed.
Static XML setups require manual updates whenever certificates change, which makes them more operationally sensitive during renewals and rotations.