Troubleshooting SSO Login Issues with Google SAML Configuration

Last updated: February 9, 2026

If you are seeing SSO login failures and a Google 400 error referencing an invalid or malformed certificate, this almost always indicates a configuration issue in Google’s SAML setup rather than a problem with Aptible or a corrupted certificate.

This article explains the most common causes and how to resolve them.

What the error usually means

A Google error such as malformed_certificate or invalid certificate indicates that Google attempted to sign a SAML assertion using a certificate that does not match the certificate Aptible is configured to trust.

Because Aptible supports only a single active SAML signing certificate, any mismatch will cause SSO login to fail.

Common causes we see with Google SAML

  • A SAML signing certificate was rotated in Google due to expiration or upcoming expiration.

  • The new certificate was added to Google’s SSO IdP configuration, but the Aptible SAML application was still assigned an old or expired certificate.

  • Multiple certificates exist in Google, but the application is signing assertions with a certificate different from the one configured in Aptible.

  • A certificate was manually copied instead of being kept in sync with the application’s active signing certificate.

How Google SAML certificate assignment works

Google manages SAML certificates in multiple places:

  • The Google SSO Identity Provider configuration

  • The individual SAML application configuration

It is possible for Google to show a valid certificate in one part of the Admin UI while the application itself is still signing assertions with a different or expired certificate.

Because Aptible supports only one active certificate, the certificate assigned to the Google application must exactly match the certificate configured in Aptible.

How to fix the issue

  1. Identify the active certificate in Google
    In the Google Admin console, review the certificates available for your SAML application and identify the certificate currently assigned to the Aptible application.

  2. Remove or unassign expired certificates from the application
    Ensure that no expired or unused certificates remain assigned to the Aptible application. Google may allow multiple certificates to exist, but the application must use only the active, valid one.

  3. Update the certificate in Aptible
    Copy the active signing certificate from the Google application configuration and update the SAML certificate in Aptible so it exactly matches.

  4. Avoid relying on multiple certificates
    Do not leave multiple signing certificates assigned in Google during normal operation. Since Aptible supports only one active certificate, any rotation must be done carefully and deliberately.

  5. Test SSO after changes
    Save all changes in Google, wait a few minutes for propagation, then retry SSO login to Aptible.

Best practices going forward

  • Treat SAML certificate rotation as a coordinated change between Google and Aptible.

  • Update the certificate in Aptible immediately after changing the certificate assigned to the Google application.

  • Remove expired certificates from the Google application once rotation is complete.

  • Test SSO immediately after any certificate change.

When to contact support

If SSO login issues persist after confirming that a single, valid certificate is assigned in Google and configured in Aptible, please provide:

  • The exact Google error message

  • The approximate timestamp of the failed login attempt

  • Confirmation of which certificate is currently assigned to the Google SAML application

This information allows us to quickly determine whether Google is signing assertions with a certificate that does not match Aptible’s configuration.