SAML SSO – Verify and Replace 2025 Self-Signed Certificate
- Product: Alma, Primo VE, Leganto, Esploro, Rapido
The current self-signed SAML service provider certificate will expire in December 2025. If your institution uses this certificate, we recommend consulting with your IT department to determine whether a replacement is needed for Alma, Primo VE, or other applications. If so, the replacement should be coordinated with your identity provider administrators as detailed below.
Instructions to Determine if you are Using the 2025 Self-signed Service Provider SAML Certificate
To determine if your Alma/Primo VE/Leganto/Esploro/Rapido application is using the 2025 self-signed service provider SAML certificate, which expires on December 31, 2025, follow these instructions:
-
Log in to the staff management module of your Alma/Primo VE/Leganto/Esploro/Rapido.
-
Go to the Integration Profile List screen (Configuration > General > External Systems > Integration Profiles).
-
From the filter 'Integration Type' drop-down options, choose SAML.
-
Locate the relevant Integration Profile and select Edit from the row actions.
-
In the Integration Profile screen, navigate to the Actions tab.
-
Verify if the 2025 self-signed SAML certificate is selected. Refer to the screenshot below as an example:
Instructions to Replace the 2025 Self-signed Service Provider SAML Certificate
To replace the 2025 self-signed service provider SAML certificate, which expires on December 31, 2025, follow these instructions:
-
Log in to the staff management module of your Alma/Primo VE/Leganto/Esploro/Rapido.
-
Go to the Integration Profile List screen (Configuration > General > External Systems > Integration Profiles).
-
From the filter 'Integration Type' drop-down options, choose SAML.
-
Locate the relevant Integration Profile and select Edit from the row actions.
-
In the Integration Profile screen, navigate to the Actions tab.
-
Click the Add additional certificate button.
-
In the New Alma metadata file version drop-down menu, select the Version 2030 certificate as shown in the following screenshot:
-
Click the Save button to save the changes.
-
Copy and modify the URL format below to construct the SAML Service Provider metadata URL using the new 2030 certificate:
https://application_server_name/view/saml/metadata?VERSION=VERSION_2030
Examples:
Alma: https://myinstitutionID.alma.exlibrisgroup.com/view/saml/metadata?VERSION=VERSION_2030
Primo VE (hosted server name): https://myinstitutionID.primo.exlibrisgroup.com/view/saml/metadata?VERSION=VERSION_2030
Primo VE (custom server name): https://primo.library.myinstitution.edu/view/saml/metadata?VERSION=VERSION_2030 -
Send the metadata file URL(s) to your SAML identity provider (IdP) administrators, and ask them to update the IdP configurations using the metadata files.
-
Once the IdP configurations are updated, test to ensure login is working.
-
After confirming that login is working, follow steps 1 to 5 to open the integration profile again.
-
Click the Delete old certificate button to remove the 2025 version certificate.
-
Click the Save button.
-
Test again to ensure that login is still working.
If your institution uses the Alma generic server name for SAML login with Alma or Primo VE, and is a member of a SAML federation—such as the InCommon Federation (U.S.) or the UK Access Management Federation — we will be replacing the certificate for you. Therefore, please open a support ticket so we can coordinate with you to replace the expiring certificate.
We are scheduled to update the federation service provider entries that use Alma generic server names during the week of December 14, 2025.
For your reference, here are some example SAML service provider entity IDs using Alma generic server names:
If your institution uses custom host names and is a member of a SAML federation, our support team has already completed the certificate replacement process to the extent possible. To verify, please follow the instructions in the first section of this document, and check the certificate selection in your integration profile:
• If the 2030 certificate is selected, no further action is needed.
• If the 2025 certificate is still selected, please open a support ticket so we can assist you.
• If both the 2025 and 2030 certificates are selected (as shown in step 7 of the certificate replacement instructions), it means we've update the federation settings but could not confirm that your IdP has retrieved the 2030 certificate from the federation. In this case, please proceed to step 9 and coordinate with your IdP administrators to complete the certificate replacement process.
- Article last edited: 30-Jul-2025