Login.gov 2026 SAML certificate rotation

[FuhuXia]

Annual Login.gov SAML certificate rotation needs to be done by March 2026. The 2025 certificates expire on April 1, 2026.

Sketch

Follow steps describe in wiki Login.gov SAML certificate rotation steps and notes from previous year.

• Generate new SP certificates.

The following two steps should be done at about the same time to minimize app authentication down time.

• Update development IdP metadata URL in the code, update private keys in the CF environment.
• Update public certs for development apps in login.gov sandbox dashboard.

The following two steps should be done at about the same time to minimize app authentication down time.

• Update staging and prod IdP metadata URL in the code, update private keys in the CF environment.
• Update public certs for staging/prod in the mirrored apps in login.gov sandbox dashboard, submit change requests to have the mirrored apps promoted, make sure they are deployed.

[FuhuXia]

Inventory and Catalog have been updated with 2026 SAML certificate.

[FuhuXia]

tickets submitted to login.gov zendesk to update sp certificates for our apps.

• catalog-staging: https://zendesk.login.gov/hc/en-us/requests/15406
• catalog-prod: https://zendesk.login.gov/hc/en-us/requests/15407
• inventory-staging: https://zendesk.login.gov/hc/en-us/requests/15410
• inventory-prod: https://zendesk.login.gov/hc/en-us/requests/15411

[FuhuXia]

Waiting for login.gov support to complete our ticket, then we

• update cf env vars with the latest private keys for inventory and catalog in staging and prod spaces.
• upload the private/public cert to google drive.