Advice and answers from the Tribal Habits Team

Our Single-Sign-On certificate expired and we can't log in!

If your SSO certificate has expired before you updated it in Tribal Habits, you can still log in and fix the problem.
Written by David King
Updated 8 months ago

Single-Sign-On (SSO) requires that your SSO certificate in your Identify Provider matches the SSO certificate in your Tribal Habits portal. 

Sometimes, SSO certificates can be set to expire after a period (typically one year). Usually, your Identity Provider will allow both the old and new certificates to function for a short period to allow you to update your certificate in Tribal Habits.

However, sometimes the expiry immediately cancels your old certificate (or the dual certificate process simply doesn't work). At that point, your Tribal Habits SSO certificate will no longer match and your SSO logins will fail. You will typically receive an error "Invalid Signature on SAML Response" when trying to log in.

In such case, you can hopefully login to your portal without using SSO to fix the issue.

  1. Go to yourorganisation.tribalhabits.com/accounts/sign_in_without_sso
  2. Log in with your Tribal Habits username or email, and your Tribal Habits password. Use the password reset function if you have forgotten it.
  3. This will allow you to log in to your portal using your Tribal Habits credentials (rather than your SSO credential).
  4. Switch to your Admin area and the Account menu. 
  5. Select the 'Configure SAML' button on the Overview panel.
  6. On this page you will see your Identity Provider x.509 Certificate. It begins with '-----BEGIN CERTIFICATE-----'. That's what you need to replace.
  7. Obtain your new certificate and Edit your SAML details. Paste the new certificate into the certificate field, including the BEGIN and END certificate text.
  8. Save your changes and your SSO should start working again.

If problems continue afterwards, please contact Support for additional help.

Did this answer your question?