🔐 Understanding the Anaplan X.509 Certificate Rotation Email
(Note: This email is sent to Tenant Security Administrators or Tenant Administrators within your Anaplan Tenant)
When you receive an email from Anaplan like this:
Email Sample:
Hi, Your Anaplan Certificate for SSO needs to be rotated by July 16, 2025 (IST) for the (Connection Name).
With the introduction of self-service SAML, you can now rotate the Anaplan Certificate for SSO yourself in Administration. You don't need to work with Anaplan Support to do this.
Required action
Please rotate your Anaplan Certificate for SSO before July 16, 2025 (IST).
Your Tenant Security Administrator can rotate your Anaplan Certificate for SSO in Administration.
You can view instructions on how to manage your Anaplan SSO certificate for more information.
You may be wondering: What's this certificate and do I need to take action?
This article explains what the Anaplan X.509 certificate is, when you should take action, and what to do if something goes wrong.
🔎 What's the Anaplan X.509 Certificate?
An Anaplan X.509 certificate is a digital certificate used to enhance the security of SSO (Single Sign-On). It's part of the SAML authentication process.
- This certificate is meant to be uploaded on the Identity Provider (IDP) side — for example, in Azure AD, Okta, ADFS, or Google Workspace.
- It isn't mandatory unless your SSO configuration specifically requires it.
✅ Do I Need to Take Action?
👉 You don't need to take action if:
- Your organization isn't using the Anaplan X.509 certificate in your IDP settings.
- You haven't previously uploaded the Anaplan certificate in your SSO configuration.
In this case, you can ignore the email and continue your regular activities.
⚠️ Important: You must always rotate your IDP certificate
Your IDP certificate (e.g., from Azure, Okta, etc.) is the primary certificate used to authenticate users logging into Anaplan. This must be updated before it expires to avoid SSO login issues.
🛠️ Common Scenarios and What to Do
🟢 If you've already rotated the certificate:
Great! No further action is needed. Your SSO will continue to function as expected.
🟡 If you mistakenly uploaded the Anaplan X.509 certificate into Anaplan’s SSO settings:
Don’t worry — your SSO might fail temporarily, but this can be fixed.
Resolution:
- Re-upload your active IDP certificate into Anaplan via the Administration console.
- If your SSO is down and you can't log in:
- Use an Exception User (a user who logs in with Basic Authentication) to fix the settings.
- If you don't have an exception user, please raise a support ticket with Anaplan Support for assistance.
📌 Summary
Scenario | Action |
|---|
Not using Anaplan X.509 | Ignore the email |
Using Anaplan X.509 | Upload updated cert to your IDP |
Mistakenly uploaded Anaplan cert into Anaplan | Re-upload correct IDP cert |
No Exception User and locked out | Contact Anaplan Support |
If you're ever unsure, it's always safe to verify with your IT/security team or open a support case with Anaplan.
