Genesys Cloud - Main

On Wednesday December 10, 2025, Genesys Cloud will update its single sign-on certificate ahead of the current certificate's expiration on January 1, 2026.  Genesys chose this date to minimize disruption during the holiday period and also because nobody likes working on Jan 1st!

I've received a few questions about this topic so have created this article to answer some of the questions I've received in relation to the announcement

We have an SSO integration configured.  Does this affect us?

There are 2 features that use the Genesys Cloud SSO certificate.  If your org use either of these features, you need to update the certificate in the Identity Provider configuration. The 2 features are as follows.  Review the Genesys Cloud configuration settings to confirm whether these features are being used.

Sign Authentication Requests
This is by far the more significant of the 2 features, from an impact perspective.  This feature enhancement was only introduced in July this year, so it is possible that your org is not using this feature.  In the Genesys Cloud admin UI (IT and Integrations > Single Sign-on), there is a checkbox, as shown below.  If this is checked, then this feature is being used and the certificate is being used by the Identity Provider to validate the authentication requests.  If the Identity Provider doesn't have the correct certificate, then they can't validate these requests.  So, getting the certificate changed out at the correct time (as outlined in the announcement) is really important. 
If this checkbox is not checked, then you don't need to be concerned with the cert changeover for this feature.  

Single Logout
As the name suggests, with Single Logout, users can log out of either the identity provider or the service provider (Genesys Cloud) and have that logout reflected in both.  In other words, users only need to log out in one place and not both. 
Single Logout is a little more complex from a configuration perspective.  As shown below, in the configuration for the SSO integration (IT and Integrations > Single Sign-on), if the Single Logout URI field is populated, then the SSO integration is using the Single Logout feature.  However, you also need to check on the Identity Provider configuration whether there is a setting to determine whether the Identity Provider uses signature verification for Single Logout requests.  If it does, then it is using this certificate to do this and the certificate needs to be updated.  If the Identity Provider does not use signature verification for Single Logout requests, you don't need to be concerned with the cert changeover for this feature. 

Where do I obtain the new certificate?

The new certificate is available to download from the Genesys Cloud Single Sign-on page (IT and Integrations > Single Sign-on) as shown below.  It is also included in the Genesys Cloud Metadata file which can be downloaded via the configuration UI for the specific SSO integration.

Does Genesys have a report to identify whether I am using these features and need to make this cert change?

No, Genesys does not have this level of configuration detail.  You need to review the configuration on both Genesys Cloud and on the Identity Provider, as outlined above.

Can I upload the new certificate before Dec 10th?

If your Identity Provider allows you to upload multiple certificates, you may upload the new certificate at any time.  However, if your Identity Provider does not allow you to upload multiple certificates, you should not upload the new certificate before Dec 10th.  Genesys Cloud and the Identity Provider both need to use the same cert for the features outlined above.  If the certs don't match, then the features won't work.  

The existing cert is valid until Jan 1st.  Can I wait until then to make the change?

No, while the admin UI states that the cert is valid until Jan 1st, we will be replacing this cert on Dec 10th.  So, while this is technically a valid cert until Jan 1st, we will stop using it on Dec 10th and the Identity Provider needs to be updated with the new cert on that date so that it matches the cert in use on Genesys Cloud.  

Can I test this changeover in my non-production environment before Dec 10th?

If you switch to use the new cert before Dec 10th on the Identity Provider configuration for your non-production org, the features outlined above will stop working.  This mimics the cert mismatch that will occur when we update the cert on Genesys Cloud on Dec 10th.  You can then correct this cert mismatch by replacing the new cert in the Identity Provider configuration with the current cert, so that the certs match once again.  The affected features should then work correctly from that point forward.  While this isn't exactly replicating the scenario in your non-production environment, it is a good simulation of what will occur on Dec 10th.  

What happens if I don't update the cert on Dec 10th?

If your organization uses signed authentication requests and you do not update the certificate, users cannot authenticate.  Obviously this is a very significant impact which is why we are scheduling the cert changeover to occur during normal out-of-hours for each region.  One mitigation option, if the feature is being used, is to disable this feature ahead of the changeover date (uncheck the checkbox) so that it removes it as a concern on the changeover date.  However, if you can update the cert on the Identity Provider configuration at the same time as we update the cert on Genesys Cloud and this is at a time when you would not expect to have users logging into the system, then this additional mitigation should not be needed.

If your organization uses the Single Logout Feature as part of their single sign-on setup and the single sign-on identity provider requires a certificate for Single Logout, the Single Logout feature stops working. With Single Logout, users can log out of either the identity provider or the service provider (Genesys Cloud). If Single Logout no longer works, the user must log out of both separately.  This feature is a lot less impactful from the cert changeover perspective.  If the cert is not updated in the Identity Provider and the user logs out from Genesys Cloud, it will send a Single Logout request to the Identity Provider which will not be actioned, so the user will remain logged in on the Identity Provider, which is not that significant an issue in the short term, as the SSO integration will still continue to work.

There is no impact to any other SSO functionality.

Will the changeover occur exactly at the time in the announcement?

We expect the cert changeover to occur within approximately 15 mins of the times outlined in the announcement.  There are a number of regions being updated in each timeslot and it will take a few minutes to perform the change.  The changeover times are listed in US Eastern timezone, but the local time (LCL) for each region is also shown.   For example, "prod-aps1: #Mumbai – 0900 ET (1930 LCL)" means that the APS1 region will be updated at 9am EST (US Eastern timezone) which corresponds to 19:30 in Mumbai.  

Will I have to do this again next year?

The good news is that the updated cert is valid until Jun 2030, so you won't have to do this again for a number of years.

I see that there are now two certificates on the SSO page.  Do I need to update both of them?

We have just added a new enhancement which allows Identity Providers to encrypt SAML assertions.  See this announcement for more details.  Identity Providers use the Genesys Encryption Certificate to encrypt the SAML assertions which we then decrypt.  This certificate won't expire until Jun 2030 so you don't need to worry about this one.  The cert that is expiring is the Genesys Signing Certificate.

My Identity Provider admin told me that we use a self-signed cert and it doesn't expire until the middle of 2027.  Is he correct?

He is probably correct.  However, for the SSO integration, there are two parties to the integration and two certs involved; the Genesys Signing certificate (the one that is expiring) which is uploaded in the Identity Provider configuration to support the features outlined above and the identity Provider certificate which is uploaded in the Genesys Cloud SSO configuration.  The Identity Provider certificate, which is what your Identity Provider admin is referencing, is used by Genesys Cloud for SAML signature verification.  

#API/Integrations
#Security

------------------------------
David Murray
Principal Product Manager
Genesys Cloud
------------------------------

On Wednesday December 10, 2025, Genesys Cloud will update its single sign-on certificate ahead of the current certificate's expiration on January 1, 2026.  Genesys chose this date to minimize disruption during the holiday period and also because nobody likes working on Jan 1st!

I've received a few questions about this topic so have created this article to answer some of the questions I've received in relation to the announcement

We have an SSO integration configured.  Does this affect us?

There are 2 features that use the Genesys Cloud SSO certificate.  If your org use either of these features, you need to update the certificate in the Identity Provider configuration. The 2 features are as follows.  Review the Genesys Cloud configuration settings to confirm whether these features are being used.

Sign Authentication Requests
This is by far the more significant of the 2 features, from an impact perspective.  This feature enhancement was only introduced in July this year, so it is possible that your org is not using this feature.  In the Genesys Cloud admin UI (IT and Integrations > Single Sign-on), there is a checkbox, as shown below.  If this is checked, then this feature is being used and the certificate is being used by the Identity Provider to validate the authentication requests.  If the Identity Provider doesn't have the correct certificate, then they can't validate these requests.  So, getting the certificate changed out at the correct time (as outlined in the announcement) is really important. 
If this checkbox is not checked, then you don't need to be concerned with the cert changeover for this feature.  

Single Logout
As the name suggests, with Single Logout, users can log out of either the identity provider or the service provider (Genesys Cloud) and have that logout reflected in both.  In other words, users only need to log out in one place and not both. 
Single Logout is a little more complex from a configuration perspective.  As shown below, in the configuration for the SSO integration (IT and Integrations > Single Sign-on), if the Single Logout URI field is populated, then the SSO integration is using the Single Logout feature.  However, you also need to check on the Identity Provider configuration whether there is a setting to determine whether the Identity Provider uses signature verification for Single Logout requests.  If it does, then it is using this certificate to do this and the certificate needs to be updated.  If the Identity Provider does not use signature verification for Single Logout requests, you don't need to be concerned with the cert changeover for this feature. 

Where do I obtain the new certificate?

The new certificate is available to download from the Genesys Cloud Single Sign-on page (IT and Integrations > Single Sign-on) as shown below.  It is also included in the Genesys Cloud Metadata file which can be downloaded via the configuration UI for the specific SSO integration.

Does Genesys have a report to identify whether I am using these features and need to make this cert change?

No, Genesys does not have this level of configuration detail.  You need to review the configuration on both Genesys Cloud and on the Identity Provider, as outlined above.

Can I upload the new certificate before Dec 10th?

If your Identity Provider allows you to upload multiple certificates, you may upload the new certificate at any time.  However, if your Identity Provider does not allow you to upload multiple certificates, you should not upload the new certificate before Dec 10th.  Genesys Cloud and the Identity Provider both need to use the same cert for the features outlined above.  If the certs don't match, then the features won't work.  

The existing cert is valid until Jan 1st.  Can I wait until then to make the change?

No, while the admin UI states that the cert is valid until Jan 1st, we will be replacing this cert on Dec 10th.  So, while this is technically a valid cert until Jan 1st, we will stop using it on Dec 10th and the Identity Provider needs to be updated with the new cert on that date so that it matches the cert in use on Genesys Cloud.  

Can I test this changeover in my non-production environment before Dec 10th?

If you switch to use the new cert before Dec 10th on the Identity Provider configuration for your non-production org, the features outlined above will stop working.  This mimics the cert mismatch that will occur when we update the cert on Genesys Cloud on Dec 10th.  You can then correct this cert mismatch by replacing the new cert in the Identity Provider configuration with the current cert, so that the certs match once again.  The affected features should then work correctly from that point forward.  While this isn't exactly replicating the scenario in your non-production environment, it is a good simulation of what will occur on Dec 10th.  

What happens if I don't update the cert on Dec 10th?

If your organization uses signed authentication requests and you do not update the certificate, users cannot authenticate.  Obviously this is a very significant impact which is why we are scheduling the cert changeover to occur during normal out-of-hours for each region.  One mitigation option, if the feature is being used, is to disable this feature ahead of the changeover date (uncheck the checkbox) so that it removes it as a concern on the changeover date.  However, if you can update the cert on the Identity Provider configuration at the same time as we update the cert on Genesys Cloud and this is at a time when you would not expect to have users logging into the system, then this additional mitigation should not be needed.

If your organization uses the Single Logout Feature as part of their single sign-on setup and the single sign-on identity provider requires a certificate for Single Logout, the Single Logout feature stops working. With Single Logout, users can log out of either the identity provider or the service provider (Genesys Cloud). If Single Logout no longer works, the user must log out of both separately.  This feature is a lot less impactful from the cert changeover perspective.  If the cert is not updated in the Identity Provider and the user logs out from Genesys Cloud, it will send a Single Logout request to the Identity Provider which will not be actioned, so the user will remain logged in on the Identity Provider, which is not that significant an issue in the short term, as the SSO integration will still continue to work.

There is no impact to any other SSO functionality.

Will the changeover occur exactly at the time in the announcement?

We expect the cert changeover to occur within approximately 15 mins of the times outlined in the announcement.  There are a number of regions being updated in each timeslot and it will take a few minutes to perform the change.  The changeover times are listed in US Eastern timezone, but the local time (LCL) for each region is also shown.   For example, "prod-aps1: #Mumbai – 0900 ET (1930 LCL)" means that the APS1 region will be updated at 9am EST (US Eastern timezone) which corresponds to 19:30 in Mumbai.  

Will I have to do this again next year?

The good news is that the updated cert is valid until Jun 2030, so you won't have to do this again for a number of years.

I see that there are now two certificates on the SSO page.  Do I need to update both of them?

We have just added a new enhancement which allows Identity Providers to encrypt SAML assertions.  See this announcement for more details.  Identity Providers use the Genesys Encryption Certificate to encrypt the SAML assertions which we then decrypt.  This certificate won't expire until Jun 2030 so you don't need to worry about this one.  The cert that is expiring is the Genesys Signing Certificate.

My Identity Provider admin told me that we use a self-signed cert and it doesn't expire until the middle of 2027.  Is he correct?

He is probably correct.  However, for the SSO integration, there are two parties to the integration and two certs involved; the Genesys Signing certificate (the one that is expiring) which is uploaded in the Identity Provider configuration to support the features outlined above and the identity Provider certificate which is uploaded in the Genesys Cloud SSO configuration.  The Identity Provider certificate, which is what your Identity Provider admin is referencing, is used by Genesys Cloud for SAML signature verification.  

#API/Integrations
#Security

------------------------------
David Murray
Principal Product Manager
Genesys Cloud
------------------------------