Vault uses a certificate for secure data transfer between the server and web browsers (HTTPS), and a separate certificate for SAML SSO and for Spark Messages.

The HTTPS web server certificate periodically rolls over with little impact. In some instances, a user may need to clear the local browser cache, but this is not typically required. The certificate used for SAML and Spark Messaging rolls over every year and may require an Admin or a developer to check existing profiles or integrations to ensure they work with the new certificate.

About the SAML SSO & Spark Messaging Certificate

All Vaults use the same signing certificate, which is rolled over every year. Prior to releasing a new certificate, Veeva sends out a maintenance notification detailing the upcoming rollover, including dates. Once the new certificate is released, Vault automatically updates all SAML Profiles and Spark Messaging connections, making the new certificate available for use.

During the rollover, the previous certificate is still available and you can switch between new and previous certificates if needed, for example if an integration breaks or you need to perform testing before switching over to the new certificate. Once the rollover period ends, the new certificate becomes the only active certificate. Download Vault Signing Certificate.

The SAML SSO & Spark Messaging certificate rollover has five stages:

  1. New Certificate Publishing. The new certificate is available for download. You can start testing with the new certificate. Download Vault Signing Certificate.
  2. New Certificate Testing Period. The new signing certificate can be tested during this period.
  3. New Certificate Rollover with Rollback Option. The new signing certificate becomes effective on all SAML Profiles and Spark connections.
  4. Support for New and Old Certificate. Previous certificate is still supported and can be rolled back, if additional testing is required.
  5. Final Certificate Rollover. The new signing certificate becomes effective again if you rolled back to the previous certificate. Previous signing certificate is no longer available.

During the rollover, you can switch certificates, view the Initial Rollover Date and Final Rollover Date, as well as download both certificates from a connection or SAML Profile.

For more detailed information about what to do during a certificate rollover, see SAML SSO & Spark Messaging Certificate Rollover.

Common SAML SSO and Spark Messaging Rollover Issues

  • Some SAML SSO identity providers are able to automatically update to the new SP certificate, but some are not. The new certificate may need to be configured on your provider’s system prior to the initial rollover event. Please contact your Identity Provider administrator for details on the process to update the certificate on their servers. If you have other questions, you can always contact Veeva Support.
  • When the new certificate is released, Vault SAML SP Metadata includes both the old and the new certificate. Some IdPs auto-update the certificates for their SP configuration by downloading the SP Metadata from the Vault SAML Profile, installing both the old and the new certificate. This may cause IdPs such as ADFS to reject Vault issued SP-initiated SAML calls because the IdP doesn’t know which certificate to use to validate the signature. See About SP Certificates.
  • Some Spark Messaging integrations may cache the certificate, so when the initial certificate rollover occurs, the new certificate may not be picked up immediately. Ensure your cached certificates are set to refresh frequently.