Marketing Cloud - SSO Certificate Expiration

What are next steps?
Once available, SSO admins should select the latest certificate in Setup > Security > Security Settings > Single Sign-On Settings from the enterprise parent account and click Save. Then, update the identity provider (IdP) with the certificate as appropriate.

When will the new certificate be made available?
The "Dec 2024" certificate is now available. Further updates will be posted to this page and the Trailhead Community 'Certificate Changes' group.

Once the new certificate is made available, what do I need to do to upgrade?  
Follow instructions in Update Your Marketing Cloud SSO Certificate.

What happens if my certificate is expired and the future cutoff date has passed?
These login scenarios will fail:
(a) SP-initiated SSO login flows (signed AuthNRequest)
(b) IdP-initiated flows with signed assertions (EncryptedAssertion)
(c) IdP performs certificate expiration validation

What happens if my SSO becomes non-functional due to certificate validity being enforced?
Work with your internal team to confirm if a user exists that is not an SSO user. As a best practice, to avoid scenarios where no users have access to a Marketing Cloud account implemented with SSO, it is recommended to keep a user in this setting to avoid complete loss of access. After confirming that you have access to a non-SSO user, perform the following:

1. Log into the top-level MC account (EntepriseID).
2. Navigate to Setup > Security > Security Settings > Single Sign-On Settings > Select the Dec 2024 certificate > click Save.
3. Download the metadata and extract the certificate following this documentation.
4. Apply the Dec 2024 certificate in your Identity Provider.
5. Test that SSO is working for all SSO users.