Skip to main content

Celonis Product Documentation

Certificate management for SAML single sign-on

When configuring SAML single sign-on for your Celonis Platform, you must select your preferred certificate management method. You have four options here:


These certificates are automatically generated but are not signed by an authority. Self-signed certificates are valid for two or more years.

Signed by Let's Encrypt

These certificates are generated by an open-source provider, Let’s Encrypt. Celonis calls their service (using challenges to validate the authenticity of the domain and the request), with Let’s Encrypt then sending back a signed certificate that’s valid for three months.

Signed with user-provided certificate

These certificates should be generated, managed, and uploaded by your team admins. User-provided certificates allow you to define your own certificate expiry dates, security settings, and more.

When uploading your own SSO certificate, the domain provided must match your Celonis Platform team domain. For example:

Automatically regenerate certificate before expiry

Certificates are renewed on the final Saturday before the expiration date, with administrators given notice via email (except for user-provided certificates). The certificate can also be renewed manually before or after its expiry date or if the automatic regeneration failed.