Cornerstone Single Sign-On Certificate Upgrade - Overview

To comply with security requirements, Cornerstone is required to upgrade their SSO certificate for all inbound or outbound SSOs using the SHA256 CA-Verified Cert Signature. Historically, this has been done by individually reaching out to clients and scheduling time when the certificate can be upgraded both on the Cornerstone and client side to prevent any downtime.

With this release, Cornerstone is providing functionality for client administrators to upgrade the certificate on their Cornerstone portal using self-service, which they can upgrade at the same time they upgrade the certificate in their SSO configuration. This will remove any need to coordinate with Cornerstone and allows organizations the flexibility to upgrade their certificate whenever they are ready.

Users who are in the system administrator role receive system-generated reminder emails prior to the SSO certificate auto-upgrade date. This reminder does not need to be configured by an administrator and is automatically sent at predefined intervals of 90, 60, 30, 15, 10, 7, 6, 5, 4, 3, 2, and 1 days before the auto-renewal date. The email is active for all portals, localized to the user's language, and will ignore dead box settings to ensure delivery to the intended recipient. If a portal has no SSO connectors that need upgrading, or if they have already been upgraded, then the email is not sent.

How Does this Enhancement Benefit My Organization?

This enhancement provides self-service ability for clients to upgrade the Single Sign-On (SSO) certificate for their Cornerstone portal.


This functionality is automatically enabled for all organizations.


The following new permission applies to this functionality:

Single Sign On - CSOD Certificate Grants ability to view, manage, and upgrade SSO certificates and configurations. This is an administrator permission. This permission cannot be constrained. Core Administration

Security Roles

Upon release, the new Single Sign On - CSOD Certificate permission is automatically granted to the default System Administrator role. Administrators must grant this permission with the appropriate constraints to other roles, if necessary.