Document SAML certificate rotation on GitLab.com

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

What

Document what group owners should do if they need to update/rotate SAML certificates used for GitLab.com SSO

Why

Organizations will need to rotate certificates when they are about to expire or when potentially compromised. Some organizations may want to regularly rotate certificates to avoid unexpected obstacles to doing so.

How

• We currently only support one certificate fingerprint per group, so this should be updated at the same time as the identity provider changes which certificate it uses
• Care should be taken with SSO enforcement during this as it could result in being unable to sign in.
• It could be worth doing this alongside our Support team if this is a rare occurrence
• Long term we might want to support configuring SAML using IdP metadata. This may allow IdPs to inform us of multiple certificates and provide a smoother experience than building out a UI for this.