How to Add/Update a New SAML Certificate for Quip

To replace your SAML certificate within Quip, first start by creating a new certificate in your Identity Provider or download the certificate to your computer if you received an email containing the new certificate. If you need to update or change your entire SAML configuration, review our guide Security Assertion Markup Language for additional information. 

Once you receive your new certificate, open the Quip Admin console and navigate to Settings, select Accounts & Access.

1. Click the dropdown on the active configuration, and select Manage.
2. After selecting Manage, select Edit Configuration.
3. Below the existing textbox with your prior certificate, click Add Another Certification.
4. Copy and paste the new certificate into this additional text box, and click Continue.
   1. You may need to rename the SAML configuration in this step before clicking Continue if the Naming text box is empty. 
5. After selecting Continue, you will be prompted to test the email you are currently logged into the Admin console with.
   1. Note: You cannot test with another user’s email — you must test with your own email that you are logged into the Admin Console with.
6. Enter your email, and select Test. This will result in a success or failure status. Once the email passes, select Continue.
   1. If you receive a Failed status, you may want to check for the following:
      1. Have you been properly assigned to the Identity Provider?
      2. Is your SAML configuration (XML) currently signing the Authentication Response? (We do not allow for Signed Authentication Responses)
      3. Is your Certificate currently valid?
7. Once your test email has passed, you will then be allowed to assign the configuration to Selected Users or to the Entire Company.
   1. If you select Selected Users — this will allow you to test the configuration for only these selected members, and will not apply to all of your Site Members.
   2. If you select Entire Company — this will allow the configuration to apply to all of your Site Members.
8. Select Update on the configuration within the Quip Admin Console, your SAML configuration will then be updated to use the new certificate instead of the expiring or expired certificate. 

If Salesforce is your Identity Provider for SAML, follow these instructions to create a new certificate for your SAML configuration before the original expires: 

1. From the Salesforce Setup Menu, use the Quick Find Box to search for Certificate and Key Management.
2. Select Create Self-Signed Certificate.
3. Enter a descriptive label for the Salesforce certificate. This name is used primarily by administrators when viewing certificates and should not be named "Quip". 
   1. We recommend names such as "Quip SAML" or "Quip SF SAML", to ensure the API name does not list only "Quip" as that can cause issues for the Quip Salesforce Integration. 
4. Enter a unique name. You can use the name that’s automatically populated based on the certificate label you enter.
   1. This name can contain only underscores and alphanumeric characters, and must be unique in your organization. 
   2. It must begin with a letter, not include spaces, not end with an underscore, and not contain two consecutive underscores.
   3. Use the unique name when referring to the certificate using Lightning Platform APIs or Apex.
5. Select a key size for your generated certificate and keys.
   1. Certificates with 2048-bit keys last one year and are faster than certificates with 4096-bit keys.
   2. Certificates with 4096-bit keys last two years.
   3. Downloaded self-signed certificates have .crt extensions.
6. Click Save.
7. Click on the Quip Connected App for your SAML configuration. Make sure you do not use the Connected App for your Quip Integration, which should only be labeled as "Quip".
   
   1. After you successfully save a Salesforce certificate, the certificate and corresponding keys are automatically generated. For more notes about this process within Salesforce, use this guide.
8. Click on the Quip Connected App for your SAML configuration. Make sure you do not use the Connected App for your Quip Integration, which should only be labeled as "Quip". 
9. Click Edit Policies, and under the section SAML Service Provider Settings, click on the drop down for the field Idp Certificate to change to the newly saved certificate and select Save at the bottom of the page.

Once you have updated your certificate within your Salesforce Identity Provider Connected App, you can then follow the steps above to replace your certificate within the Quip Admin Console.