SSO login errors with strict SP cert matching

On June 30, 2025, Keeper published an updated SAML Service Provider (SP) certificate as part of our standard annual process. This certificate is used for signing SP requests and does not impact SSL termination. During the update, the certificate subject name was unintentionally changed from sso.keepersecurity.com to sso.staging.keepersecurity.com.

While most identity providers do not validate the certificate subject name, certain providers—such as JumpCloud and Shibboleth—may enforce strict matching and reject SAML requests when the subject name does not align.

On Sunday July 6, 2025, routine backend infrastructure changes caused the cert to be propagated across production systems throughout the morning hours. The issue with the subject name was identified by our team after several troubleshooting calls with customers. The DevOps team then corrected the issue by publishing the certificate with the proper subject name around 12pm PST.

After reviewing the case history, this affected a small number of customers. Next year, when the SP cert change is approaching, we will notify all customers with the exact date and time when the cert will be updated, so those customers using strict SP cert matching can be prepared. We apologize for the error and we have taken steps to ensure this does not occur again.