How to update expired SSO certificates or secrets

When your SSO certificate or client secret expires, you'll encounter authentication errors and won't be able to access the Spacelift UI through SSO. Here's how to resolve this issue.

Error symptoms

You may see errors like:

• AADSTS7000222: The provided client secret keys are expired

• could not exchange code for token: oauth2: "invalid_client"

Resolution steps

Option 1: Using backup credentials (recommended)

If you have access to a root admin API key:

1. Login using your backup credentials following the backup credentials guide

2. Navigate to your SSO settings

3. Unlink the current SSO configuration

4. Set up SSO again with your updated certificate or client secret

Option 2: Vendor assistance

If you don't have access to backup credentials, our support team can remove the SSO configuration on our end. This requires:

1. Security approval from our team

2. DNS verification - you'll need to add a specific TXT record to your domain

3. Once SSO is removed, your login will default back to your initial identity provider

Important notes

• You cannot update SSO settings directly - you must unlink and reconfigure the entire SSO setup

• Save your current SSO settings before unlinking in case you need to reference them

• When SSO is disabled, users will authenticate through the default identity provider and need appropriate user permissions assigned

• Ensure your IT team provides the correct client secret value (not the client secret ID) when reconfiguring

Common configuration errors

If you receive AADSTS7000215: Invalid client secret provided when setting up the new SSO, check for:

• Using the wrong secret value

• Expired or invalid secret

• Typographical errors or encoding issues with special characters

• Using the client secret ID instead of the client secret value

Consult with your IT team to verify the correct secret value if you encounter these errors.