How does Spacelift handle SAML certificate updates and key rollover?

When your SAML Identity Provider's x.509 certificate changes, Spacelift's behavior depends on how your SAML integration was configured - either in dynamic or static mode.

Dynamic Configuration

If you have Dynamic configuration enabled, Spacelift automatically re-fetches your IdP's metadata (including certificate updates and key rollover) on each login attempt. This means certificate changes are handled automatically without any manual intervention required.

Dynamic configuration is enabled when you provide a metadata URL during SAML setup rather than uploading static metadata files.

Static Metadata

If Dynamic configuration is disabled, you provided a one-time metadata XML (or JSON-escaped string) when you first activated SSO. In this case, Spacelift only reads that metadata once at activation time and will not automatically detect certificate changes.

For static configurations, you'll need to manually update the SAML integration when certificates change.

Updating Static SAML Configuration

To update a static SAML configuration with new certificate information:

1. Disable SSO in your Spacelift settings (this will immediately remove the integration and invalidate existing sessions)

2. Re-configure the SAML integration with the updated metadata as outlined in the SAML setup documentation

Checking Your Configuration Type

If you have an IdP metadata URL configured in your SAML settings, you're likely using dynamic configuration. If you're unsure about your setup type, you can check your SAML integration settings to see whether a metadata URL or static metadata was provided.

Important Recommendation

Before making any changes to your SAML configuration, we strongly recommend setting up backup credentials to avoid being locked out of your account during the transition.