Basware InvoiceReady Single Sign-On (SSO) Service certificate renewal


Basware InvoiceReady Single Sign-On (SSO) service certificate is going to expire on June 4, 2024. For the renewal of the certificate in a seamless manner, a maintenance activity will be performed on May 11.

During the maintenance activity, the new SSO certificate (Serial Number: 7175cf73625f5669452c72f51f77d47d) will be set as primary and the old SSO certificate (Serial Number: 242e0728de2ade235592ab34be6b3859) will be removed.

Details of the expiring certificate:

Serial Number: 242e0728de2ade235592ab34be6b3859
Issuer: Entrust Certification Authority - L1K
Subject: CN =
Validity period: May 4, 2023
 to June 4, 2024

Please note that, as a first step, on May 7, 2024 the new SSO certificate was added as secondary and is updated in the federation metadata. Details of the new certificate will be communicated during this time. 

The following steps need to be reviewed and verified by the customer’s internal IT department and/or 3rd party hosting provider that is managing the IdP.

If your Identity Provider (IdP) is checking that the SSO request coming from Basware InvoiceReady is signed or if your IdP is sending an encrypted token back to Basware InvoiceReady SSO, then the maintenance activity will impact your user logins. If recommended actions are not completed, SSO logins will fail until the new certificate is updated and integrated within the IdP trust setup.


For customers using a local Basware metadata file

If the Basware InvoiceReady Single Sign-On (SSO) integration is configured using a local copy of Basware's federation metadata file, there are below options available:


For Customers using Basware Metadata URL

If the SSO integration is configured using Basware federation metadata URL and is configured to automatically update metadata information at regular intervals. It is recommended that a manual trigger of the metadata update be performed immediately after the planned maintenance on May 11.

Basware Recommendations:



Frequently asked questions:

Q: How do we know if our authentication to the Basware InvoiceReady system will be impacted by this maintenance?

A: If your logins to the Basware InvoiceReady service are based on Single Sign-on (SSO) authentication, then you could be impacted by this maintenance.

Q: How will my Basware InvoiceReady service access and usage be impacted if I do not take the necessary actions in a timely manner?

A: In case the necessary actions in relation to this maintenance are not performed the SSO authentication to the Basware InvoiceReady services may not work after the certificate renewal on May 11.

Q: Who should I forward the information related to this maintenance within my organization?

A: The details related to the maintenance should be forwarded to your IT department or to the IT service vendor, who manages the IdP trust setup used for Basware InvoiceReady services.

Q: What should we do if we update the certificate or IdP trust on our side but observe errors when trying to login to Basware InvoiceReady service?

A: In case you encounter any issues after the maintenance, please contact Basware Support by opening a case in reference to this maintenance: BWPB0047097.

Q: Can we perform the update of the IdP trust for Basware InvoiceReady before the maintenance date?

A: Yes, if your SSO solution supports multiple certificates as the new certificate was updated as secondary on May 7th. The new certificate is already reflecting in the federation metadata. Please do not remove or replace the expiring certificate before the May 11 maintenance.

Q: How can we download the new Basware InvoiceReady SSO certificate, if needed?

A: The new public certificate can be downloaded from this page under the instructions section. However, it is recommended that the new certificate should only be applied on the IdP trust setup after the May 11 planned maintenance activity. As during the maintenance, we will promote this new certificate as primary on Basware InvoiceReady SSO.

Q: What do I need to do in case my IdP trust for Basware InvoiceReady SSO does not have a configuration setting for either a certificate or a metadata URL?

A: If the IdP setup does not require our certificate or metadata URL, no action is required in this case. However, it is still recommended to test the access to the InvoiceReady service via SSO after the May 11 maintenance is completed.