Here are the steps you'll need to add PhotoShelter’s new certificate to your SSO configuration within your IdP. Most SSO IdPs will support having two signing certificates within the configuration, which may be referred to as the “Secondary Verification Certificate” or similar.
If you can’t create a secondary certificate under the same SP entry for PhotoShelter, see: If your IdP does not support adding a secondary verification certificate:
General SSO Setup Information can be found here:
Technical SSO Setup/Configuration Instructions (for IT Teams)
You can access the new certificate by going to your public-facing metadata page.
-
For the Lumen Portal (recommended to do this first), this will be located here:
[label].photoshelter.site/sso/SAML2/METADATA
-
For the Classic Portal, this will be located here:
[label].photoshelter.com/sso/SAML2/METADATA or [subdomain.customdomain.com]/sso/SAML2/METADATA
Once you’ve accessed your metadata page, search for the second entry of this line to locate our new certificate:
- <md:KeyDescriptor use="signing">
NOTE: Do not delete the current certificate on your configuration.
Enter the certificate located where the arrow is pointing in the image above as the secondary certificate within your IdP configuration, and you’ll be all set!
Please note that as the above refers to a verification certificate, no action is needed if verification certificates aren't set as required on your end of the configuration.
If your IdP does not support adding a secondary verification certificate:
- Wait for 02/12/2026 to put in the new certificate.
- Put in the new certificate as the primary certificate, and reach out to our Support team (brands@photoshelter.com) - we can manually set your account to use the new certificate before 02/12/2026.
- You can turn off the setting to require a Signed Request in your IDP settings, so the need for a certificate is not necessary.
Certificate/Metadata locations:
https://{label}.photoshelter.site/sso/SAML2/METADATA (Lumen Portal)
https://{label}.photoshelter.com/sso/SAML2/METADATA (Classic Portal)
Other things to note:
We recommend loading the metadata from a URL to ensure automatic updates. While some platforms do not support this, most do support uploading the metadata XML file via a URL.
You can turn off the setting to require a Signed Request in your IDP settings, so the need for a certificate is not necessary.
Update steps:
- Load metadata from URL (https://{label}.photoshelter.com/sso/SAML2/METADATA)
- Upload new metadata file (that you downloaded from above)
- Manually add the new certificate as an alternate
This contains both the primary and secondary validation certificates.