Summary

After updating an Azure Active Directory (AAD) SAML Provider's certificate in Jira Align, the UI continues to display the old certificate's expiration date instead of the new certificate.

Environment

Jira Align

Diagnosis

After updating an AAD SAML Provider's certificate in Jira Align under Settings > Platform > Security > [saml_provider], the panel continues to display the old certificate expiration:

Cause

This issue can occur when both the new and old SAML Signing Certificates exist in AAD's SAML configuration. For example:

In this case, the resulting SAML Metadata XML which is downloaded from AAD and added to Jira Align will contain both the new and old certificates. Jira Align will display the oldest certificate found in the metadata.

Solution

Jira Align will still be able to validate the new certificate from the AAD since it has a copy of it's public key. Therefore, customers should not experience any disruptions with access despite the old certificate information being displayed.

To resolve the issue

1. In AAD, navigate to [Jira Align application] > Single sign-on > SAML Signing Certificate, click Edit
2. Download copies of both the Inactive (expired) and Active certificates as a backup
3. Delete the Inactive (expired) certificate
4. Download a new copy of the SAML Metadata XML under [Jira Align application] > Single sign-on > SAML Signing Certificate > Federation Metadata XML, click Download 
5. Update the SAML Provider configuration in Jira Align with the new Metadata = Settings > Platform > Security > edit [saml_provider], paste metadata into SAML 2.0 Metadata. Save and Close.
6. Refresh the page and confirm the new cert expiration is now reflected in the UI
7. Verify that SSO users can login successfully

References:

Configure SAML 2.0 for Jira Align using Azure AD