Summary:

Basware InvoiceReady Single Sign-On (SSO) service certificate is going to expire on June 22, 2026. For the renewal of the certificate in a seamless manner, a maintenance activity will be performed on April 18.

During the maintenance activity, the new SSO certificate will be set as primary and the old SSO certificate will be removed.

Details of the expiring certificate:

Serial Number: ‎73CDD24C3FF806F763B08CD7
Issuer: GlobalSign GCC R3 DV TLS CA 2020
Subject: CN = sso.ir.basware.com
Validity period: May 21, 2025 to June 22, 2026

Please note that, as an initial step on March 13, 2026, the new SSO certificate was added as a secondary certificate and the federation metadata has been updated. 

The following steps need to be reviewed and verified by the customer’s internal IT department and/or 3rd party hosting provider that is managing the IdP.

If your Identity Provider (IdP) is checking that the SSO request coming from Basware InvoiceReady is signed or if your IdP is sending an encrypted token back to Basware InvoiceReady SSO, then the maintenance activity will impact your user logins. If recommended actions are not completed, SSO logins will fail until the new certificate is updated and integrated within the IdP trust setup.

Instructions:

For customers using a local Basware metadata file

If the Basware InvoiceReady Single Sign-On (SSO) integration is configured using a local copy of Basware's federation metadata file, there are below options available:

• The latest metadata file can be downloaded by using the URL: https://sso.ir.basware.com/federationmetadata/2007-06/federationmetadata.xml or download the new public certificate from here. Please make sure not to make the change before the April 18 planned maintenance.

 

For Customers using Basware Metadata URL

If the SSO integration is configured using Basware federation metadata URL https://sso.ir.basware.com/federationmetadata/2007-06/federationmetadata.xml and is configured to automatically update metadata information at regular intervals. It is recommended that a manual trigger of the metadata update be performed immediately after the planned maintenance on April 18.

Basware Recommendations:

• Please do not delete or remove the existing IdP trusts configured in the SSO solution. In case a trust deletion is mandatory, please keep a backup of the current trust setup as this will help in troubleshooting if any issues in the new trust setup are encountered.
• Test the SSO login to Basware InvoiceReady service after the April 18 certificate renewal maintenance activity.

  

Frequently asked questions:

Q: How do we know if our authentication to the Basware InvoiceReady system will be impacted by this maintenance?

A: If your logins to the Basware InvoiceReady service are based on Single Sign-on (SSO) authentication, then you could be impacted by this maintenance.

Q: How will my Basware InvoiceReady service access and usage be impacted if I do not take the necessary actions in a timely manner?

A: In case the necessary actions in relation to this maintenance are not performed the SSO authentication to the Basware InvoiceReady services may not work after the certificate renewal on April 18.

Q: Who should I forward the information related to this maintenance within my organization?

A: The details related to the maintenance should be forwarded to your IT department or to the IT service vendor, who manages the IdP trust setup used for Basware InvoiceReady services.

Q: What should we do if we update the certificate or IdP trust on our side but observe errors when trying to login to Basware InvoiceReady service?

A: In case you encounter any issues after the maintenance, please contact Basware Support by opening a case in reference to this maintenance: BWPB0048604.

Q: Can we perform the update of the IdP trust for Basware InvoiceReady before the maintenance date?

A: Yes, if your SSO solution supports multiple certificates, as the new certificate was updated as secondary on March 13. The new certificate is already reflecting in the federation metadata. Please do not remove or replace the expiring certificate before April 18 maintenance.

Q: How can we download the new Basware InvoiceReady SSO certificate, if needed?

A: The new public certificate can be downloaded from this page under the instructions section. However, it is recommended that the new certificate should only be applied on the IdP trust setup after the April 18 planned maintenance activity. As during the maintenance, we will promote this new certificate as primary on Basware InvoiceReady SSO.

Q: What do I need to do in case my IdP trust for Basware InvoiceReady SSO does not have a configuration setting for either a certificate or a metadata URL?

A: If the IdP setup does not require our certificate or metadata URL, no action is required in this case. However, it is still recommended to test access to the InvoiceReady service via SSO after the April 18 maintenance is completed.