Learning content sync from SuccessFactors to our external LMS (Cornerstone) completely stopped working three days ago. After investigation, we discovered the SAML certificate expired on June 5th. We renewed the certificate in both systems, but the API integration still fails with authentication errors.
The error suggests OAuth2 client configuration issues:
HTTP 401: Unauthorized
oauth_error: invalid_client
error_description: SAML assertion validation failed
We’re using SAML assertion flow for OAuth2 token generation. The certificate renewal process seemed straightforward - we uploaded the new certificate to SuccessFactors and updated the public key in Cornerstone. But something is broken in the certificate lifecycle management.
We have no certificate expiration monitoring in place, which is why this caught us off guard. Learning assignments for 2000+ employees are blocked. How do we properly configure certificate renewal and implement monitoring to prevent this?
Where exactly do I find the certificate thumbprint in SuccessFactors? And should I update the OAuth2 client in Cornerstone or SuccessFactors?
Certificate renewal requires updates in multiple locations. First, generate new certificate with at least 2-year validity. Upload to SuccessFactors SAML settings. Export public key and update in Cornerstone OAuth client configuration. Most importantly, update the certificate thumbprint in the OAuth2 client metadata - this is the step most people miss. The thumbprint must match exactly or SAML assertion validation fails. Also verify certificate common name matches your SuccessFactors entity ID.
The invalid_client error indicates a mismatch between the certificate thumbprint in your OAuth2 client configuration and the actual certificate. After uploading the new certificate to SuccessFactors, you need to update the client registration in Cornerstone with the new thumbprint value.
Don’t forget to test the OAuth token generation flow after certificate updates. Use Postman or similar tool to manually request a token using SAML assertion grant type. This validates the entire certificate chain before re-enabling production sync jobs.
For monitoring, set up automated certificate expiration checks. Use a scheduled script that queries SuccessFactors SAML metadata endpoint and parses the X.509 certificate. Extract the NotAfter date and trigger alerts 90, 60, and 30 days before expiration. We use Azure Monitor for this with custom metrics.