Administrators may believe it is necessary to locate the tenant private key to sign a request for a Security Assertion Markup Language (SAML) connection. This article explains the functionality and accessibility of the tenant private key.

• SAML Connection
• Signing Certificates
• Private Keys
• Tenant Certificate
• Tenant Private Key
• Tenant Signing Key

Administrators do not have direct access to view the tenant private key. The system restricts the management of sensitive information, such as private keys, to ensure security and privacy. The system uses the tenant private signing key to sign SAML requests when acting as a SAML Service Provider (SP) and for signing tokens when acting as an OpenID Connect (OIDC) or OAuth 2.0 Identity Provider (IdP).

By default, the system also uses the tenant private signing key to sign SAML requests when the Sign Request toggle is enabled on a SAML connection. Administrators can use a custom key to sign requests by providing a private/public key pair for a specific connection.

Exporting a tenant private signing key is not supported. However, an Early Access feature available to Enterprise plans allows uploading a custom signing key.