We've just shipped a major upgrade to our SAML integration β automatic certificate management for Microsoft Entra ID.
The problem with manual certificates
Until now, setting up SAML with Microsoft Entra required you to manually copy the X.509 signing certificate from Azure and paste it into 21RISK. Worse, when Entra rotated the certificate (which happens periodically), your IT team had to notice, grab the new certificate, and update 21RISK β or risk SSO login breaking for all your users.
That's a stressful, easy-to-miss maintenance task.
How automatic mode works
When configuring a SAML connection, you can now choose Microsoft Entra ID as the provider type and simply paste the Federation Metadata URL from your Entra application. That's it.
21RISK will automatically:
- Fetch the Entity ID, SSO URL, and signing certificate(s) from the metadata
- Refresh the metadata multiple times a day to pick up any changes
- Handle certificate rotation seamlessly β when Entra publishes a new certificate, 21RISK picks it up automatically
You can see the current auto-fetched values β including certificate thumbprints and expiry dates β directly on the SAML connection page. And if you ever need an immediate update, there's a Refresh Now button right there.
Key benefits
- Zero-touch certificate rotation β No more manual cert updates when Entra rotates certificates
- Reduced downtime risk β Certificate expiry can no longer silently break SSO for your users
- Simpler setup β Just one URL to paste instead of copying four separate values
- Full visibility β See exactly which certificates are fetched, their thumbprints, and when metadata was last refreshed
Still prefer manual?
No problem. If you use a SAML provider other than Microsoft Entra β or if you simply prefer to manage certificates yourself β you can select Other SAML Provider and configure everything manually, just like before.
You can read more in our updated step-by-step guide here.