Note: This update only applies to workspaces using SAML SSO where your identity provider is set to Encrypt assertions and is using an Intercom (service provider) encryption certificate. If you’re not sure, check your IdP’s SAML app settings for “Encrypt assertions” (or “Assertion Encryption”).
If you’re not sure whether your workspace uses SAML, go to Settings > Security and check if SAML SSO is configured. For a first-time SAML setup, see: Integrate with an identity provider and log in with SAML SSO.
Intercom is updating our Service Provider (SP) certificate used for SAML single sign-on. To ensure uninterrupted SSO access for your team, you'll need to upload the new certificate to your Identity Provider before December 12, 2026.
What you'll need
Admin or security permissions in your Identity Provider (Okta, Azure AD, OneLogin, Google Workspace, etc.)
The Can manage general and security settings permission is required in order to access the Settings > Workspace > Security page in Intercom.
How to update the SAML certificate
Step 1: Check if you need to rotate the certificate
First, you need to check if you actually need a certificate rotation.
Go to Settings > Workspace > Security > Authentication methods. You should see the warning banner about SAML certificate rotation.
Note: This only applies to your SAML certificate. It does not affect SCIM.
Step 2: Download the new Intercom certificate
This is the new certificate:
-----BEGIN CERTIFICATE-----
MIIDYzCCAkugAwIBAgIUS9LFUH5IWanIgQ78d/qyKOdojAYwDQYJKoZIhvcNAQEL
BQAwQTERMA8GA1UECgwISW50ZXJjb20xETAPBgNVBAsMCFBsYXRmb3JtMRkwFwYD
VQQDDBBTQU1MIENlcnRpZmljYXRlMB4XDTI2MDExMjE3NTIzN1oXDTM2MDExMDE3
NTIzN1owQTERMA8GA1UECgwISW50ZXJjb20xETAPBgNVBAsMCFBsYXRmb3JtMRkw
FwYDVQQDDBBTQU1MIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA2LVcYLNwR0t1Co/FBNSFUEdpOJTM87X0//NPisUgQJ71l11Dohg9
Yg1aAraqOsQ9EPR9prdQjP50lhOmogjvPDClPlXtoHdRCJ81U/3duXoBdGS02NN3
2DetudNnyjeUefkcnPWsQ+FNZasnP9ODU8dtPKxMcLP3AmcUYOAaKp1r3WBuFDcT
woMtbrWUoxTfBeYx6nQ9TfzJOGQFZCYs30Sx1j5LVio5DoM3oynTTh0qOzJS+KpU
iIIqby8szpqWMfdPNTdBd7XQK2SkHmBgkgSDfQIII93kkXCP1bCOuo4rC+lIeXlF
gIi2Z4iMxuKceBeLBgFTovG7dVDeGmTucQIDAQABo1MwUTAdBgNVHQ4EFgQUgZdt
wisFHetsCww03EXQGt8Oq24wHwYDVR0jBBgwFoAUgZdtwisFHetsCww03EXQGt8O
q24wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAiL3wXWof5x+k
thOn2tAspFR/IH5NQHPLocV605FcRjt1JS1z0cBjtBroTKFarXo6T1NKQN5Lhjsu
wrvu1J/YQcGnSmChar8OJSIbxPhHrbpA6Gg2mtkH4BTnnXY3LBgVFfCl5oiFxZqB
ELkm6iBZmReot+MPWvE0Ypx7hQLI/3qLc5yYEw7ZNKWq/lRbbT4DLgKeHH89fSrm
cpDa9ZHF2e6rlx95LCbZUWyEE6pPFeq+6CyQt+FkwLl1e+ZIJTknWgD/bzPsZ6CF
XfF2fS2ObaUISKYEZMZx5o+JZnnYGr1U614lhniha+Rpykzoa+SsOdwvI0xl5ZRr
aqD3fI3jqA==
-----END CERTIFICATE-----
Depending on your Identity Provider you may need this to copy paste, or to have prepared as a file. In case you need it as a file you can save this content with a .pem or .crt extension
Step 3: Upload the Intercom SP certificate to your Identity Provider
Sign in to your Identity Provider's admin console and locate your Intercom SAML application settings. Look for a section labeled:
SP Certificate
Service Provider Certificate
Signature Verification Certificate
Encryption Certificate
Upload the certificate file you downloaded, or paste the certificate contents directly. Save your changes.
Refer to your Identity Provider's documentation for specific instructions on managing SAML certificates.
Example for Okta:
Open your integration application settings.
Open the Sign On tab and click Edit.
Click Browse and select the .pem file you created above in step 2, then click Upload.
Click Save to ensure your new certificate is used by your IDP.
Step 4: Verify the update
After uploading the certificate to your Identity Provider:
Sign out of Intercom.
Sign back in using SSO.
Confirm you can access your workspace without errors.
If you can sign in successfully using SSO, the certificate update is complete.
FAQs
When do I need to complete this SAML certificate update?
When do I need to complete this SAML certificate update?
The current certificate expires on December 12, 2026. We recommend updating as soon as possible to avoid losing access to your Intercom workspace.
What happens if I don't update the SAML certificate in time?
What happens if I don't update the SAML certificate in time?
After December 12, 2026, SAML logins will fail until you upload the new certificate. Teammates will see an authentication error when trying to sign in via SSO.
Need help?
If you run into issues updating your certificate, check your Identity Provider's documentation for certificate management instructions, or reach out to Intercom Support.
Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts