Genesys Cloud
Deprecation: Genesys Cloud SSO certificate expiry
Announced on | Effective date | Aha! idea |
---|---|---|
2025-10-06 | 2025-12-10 | - |
On December 10, 2025, Genesys Cloud will update its single sign-on certificate ahead of the current certificate’s expiration on January 1, 2026. Genesys chose this date to minimize disruption during the holiday period. The new certificate will be available for download in the admin UI starting November 2, 2025.
This update ensures secure and uninterrupted single sign-on (SSO) access in Genesys Cloud.
FAQs
Am I affected?
If you have enabled the SSO configuration option to sign authentication requests or use the Single Logout feature and your identity provider supports signature verification for Single Logout requests, then you are affected.
How do I know if my organization signs authentication requests?
Organizations that configured Genesys Cloud to work with single sign-on added their configuration settings via the administration console under Integrations > Single Sign-On. If the Sign Authentication Requests checkbox is checked under the relevant identity provider, then authentication requests are being signed.
How do I know if my organization uses the Single Logout feature?
Organizations that configured Genesys Cloud to work with single sign-on added their configuration settings via the administration console under Integrations > Single Sign-On. If the Single Logout URI is configured under the relevant identity provider, then Single Logout is being used.
What should I do before the Removal Date?
If your organization uses signed authentication requests or the Single Logout feature, you must update your Identity Provider with the new certificate. If your provider supports multiple certificates, you can upload it anytime after November 2, 2025. Otherwise, upload the new certificate on or after December 10, 2025.
What time on December 10, 2025 will the certificate be updated?
The specific time for implementing the certificate change on December 10, 2025 will vary by region, as per the schedule outlined below. The associated timeslots were selected during out-of-hours for those regions to minimize any potential disruption associated with the certificate change. Update your Identity Provider configuration with the new certificate as close to these times as possible to minimize disruption. The changes will be implemented on December 10, 2025, at the following US Eastern times, with the local times for the regions also noted in brackets.
9:00 a.m. Eastern
- prod-usw2: #Oregon – 0900 ET (0600 LCL)
- prod-aps1: #Mumbai – 0900 ET (1930 LCL)
- prod-apse3: #Jakarta #Satellite – 0900 ET (2000 LCL)
- prod-ape1: #Hong Kong #Satellite – 0900 ET (2100 LCL)
- prod-apse1: #Singapore #Satellite – 0900 ET (2200 LCL)
- prod-apne3: #Osaka – 0900 ET (2300 LCL)
- prod-apne1: #Tokyo – 0900 ET (2300 LCL)
- prod-apne2: #Seoul – 0900 ET (2300 LCL)
2:00 p.m. Eastern
- prod-apse2:#Sydney – 1400 ET (0600 LCL Thursday)
- prod-mec1: #UAE – 1400 ET (2300 LCL)
4:00 p.m. Eastern
- prod-euw2: #London – 1600 ET (2100 LCL)
- prod-euw1: #Ireland – 1600 ET (2100 LCL)
- prod-euc2: #Zurich – 1600 ET (2200 LCL)
- prod-euw3: #Paris #Satellite – 1600 ET (2200 LCL)
- prod-euc1: #Frankfurt – 1600 ET (2200 LCL)
- prod-afs1: #Cape Town #Satellite – 1600 ET (2300 LCL)
8:00 p.m. Eastern
- prod-mxc1: #Mexico – 2000 ET (2000 LCL)
- prod-cac1: #Canada – 2000 ET (2000 LCL)
- prod-use1: #N Virginia – 2000 ET (2000 LCL)
- fedramp-use2-core: #FedRamp – 2000 ET (2000 LCL)
- prod-sae1: #Sao Paulo – 2000 ET (2200 LCL)
What happens if I do not update the certificate?
If your organization uses signed authentication requests and you do not update the certificate, users cannot authenticate.
If your organization uses the Single Logout Feature as part of their single sign-on setup and the single sign-on identity provider requires a certificate for Single Logout, the Single Logout feature stops working. With Single Logout, users can log out of either the identity provider or the service provider (Genesys Cloud). If Single Logout no longer works, the user must log out of both separately.
There is no impact to any other functionality.
Who should I contact for help or questions?
Contact My Support.