Skip to content
Sourcegraph Help Center home
Sourcegraph Help Center home

Forcing SAML identityProviderMetadataURL refresh after certificate renewal

Problem

After renewing a SAML certificate in your identity provider, Sourcegraph continues to use cached metadata when configured with identityProviderMetadataURL, causing SSO to fail until the metadata is refreshed.

Cause

  • Sourcegraph caches metadata retrieved from the configured identityProviderMetadataURL.

  • The cache is refreshed by a background process (up to 24 hours), and there is no UI control to force an immediate refresh.

  • If the metadata URL remains byte-for-byte identical, Sourcegraph may reuse cached results.

Workarounds

  • Wait for the automatic background refresh (about 15 minutes to 24 hours).

  • Append an unused query parameter to the identityProviderMetadataURL (e.g. ?v=2 or &v=2) to force Sourcegraph to fetch fresh metadata.

  • As an alternative, switch temporarily to identityProviderMetadata and paste the provider XML until the URL-based fetch updates.

  • Delete the cache data from Redis. In this example, replace *login.microsoftonline.com* with the domain of your identityProviderMetadataURL

    kubectl -n <namespace> exec -it <redis-store-pod> -- redis-cli DEL "tnt_1:v2:http:*login.microsoftonline.com*"
kubectl -n <namespace> exec -it <redis-store-pod> -- redis-cli DEL "tnt_1:v2:saml_idp_metadata_v2:*"

Recommended procedure for certificate renewal

  1. Renew the certificate in your identity provider (Entra ID/Azure AD).

  2. Keep the same metadata URL. If SSO fails immediately after activation, wait for the automatic background refresh or follow one of the workarounds above.

  3. After confirming SSO works, remove any temporary URL parameter if desired.

Notes and next steps

  • If issues persist despite these steps, collect SAML and Sourcegraph logs and open a support request, including the SSO behavior and timestamps.

Powered by Plain