Do not use demo certificates for active SAML configurations

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Control whether demo certificates are used in production SAML configurations.

    The demo certificates provided by ServiceNow should not be used in production SAML configurations. The certificates are common among all instances with known passphrase. If one of the SAML properties utilizing a certificate keystore is active (require_signed_authnrequest, require_signed_logoutrequest, or encrypt_assertion) then the demo data must not be used. Since demo data is shared among all instance, there is no integrity guarantee of requests signed with shared certificates.

    Set up a custom keystore, following the documentation. The value of glide.authenticate.sso.saml2.keystore should be set to the sys_id of a custom, active keystore.

    More information

    Attribute Description
    Configuration name glide.authenticate.sso.saml2.keystore
    Configuration type System Properties (/sys_properties_list.do)
    Data type String
    Recommended value Does not contain the sys_id c60ad24b732220103a5b0dd43cf6a7db or 3685fc22930212003c5537ae867ffb91
    Default value <none>
    Fallback value <none>
    Category Communications
    Security risk
    • Severity score: 3.9
    • CVSS rating: Low
    • Security risk details: Messages encrypted by the IDP could be decrypted by any actor, if intercepted.
    Functional impact None
    Dependencies and prerequisites None