> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://help.sigmacomputing.com/llms.txt.
> For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://help.sigmacomputing.com/_mcp/server.

# Get a SAML service provider certificate (Beta)

GET https://api.sigmacomputing.com/v2/saml/service-providers/{samlServiceProviderId}/certificates/{samlServiceProviderCertificateId}

Get a certificate to use with your IdP when configuring Sigma as a service provider.

**Beta**: This documentation describes a public beta feature and is subject to the [Beta features](/docs/sigma-product-releases#beta-features) disclaimer.

### Usage notes
- To perform this operation, you must use API credentials owned by a user assigned the Admin account type.
- Retrieve the `samlServiceProviderId` by calling the [/saml/service-providers](https://help.sigmacomputing.com/reference/list-saml-service-providers) endpoint.
- Retrieve the `samlServiceProviderCertificateId` by calling the [/saml/service-providers/certificates](https://help.sigmacomputing.com/reference/list-saml-service-provider-certificates) endpoint.
- Signing certificates are used by your IdP to verify signatures that Sigma attaches to SAML requests.
- Encryption certificates are used by your IdP to encrypt SAML responses sent to Sigma.
    

Reference: https://help.sigmacomputing.com/reference/get-saml-service-provider-certificate

## OpenAPI Specification

```yaml
openapi: 3.1.0
info:
  title: sigma-rest-api
  version: 1.0.0
paths:
  /v2/saml/service-providers/{samlServiceProviderId}/certificates/{samlServiceProviderCertificateId}:
    get:
      operationId: getSamlServiceProviderCertificate
      summary: Get a SAML service provider certificate (Beta)
      description: >-
        Get a certificate to use with your IdP when configuring Sigma as a
        service provider.


        **Beta**: This documentation describes a public beta feature and is
        subject to the [Beta
        features](/docs/sigma-product-releases#beta-features) disclaimer.


        ### Usage notes

        - To perform this operation, you must use API credentials owned by a
        user assigned the Admin account type.

        - Retrieve the `samlServiceProviderId` by calling the
        [/saml/service-providers](https://help.sigmacomputing.com/reference/list-saml-service-providers)
        endpoint.

        - Retrieve the `samlServiceProviderCertificateId` by calling the
        [/saml/service-providers/certificates](https://help.sigmacomputing.com/reference/list-saml-service-provider-certificates)
        endpoint.

        - Signing certificates are used by your IdP to verify signatures that
        Sigma attaches to SAML requests.

        - Encryption certificates are used by your IdP to encrypt SAML responses
        sent to Sigma.
            
      tags:
        - SAML
      parameters:
        - name: samlServiceProviderId
          in: path
          required: true
          schema:
            type: string
        - name: samlServiceProviderCertificateId
          in: path
          required: true
          schema:
            type: string
        - name: Authorization
          in: header
          description: OAuth authentication
          required: true
          schema:
            type: string
      responses:
        '200':
          description: The response body.
          content:
            application/json:
              schema:
                $ref: >-
                  #/components/schemas/saml_getSamlServiceProviderCertificate_Response_200
servers:
  - url: https://api.sigmacomputing.com
    description: Server for GCP (US) hosted organizations
  - url: https://api.sa.gcp.sigmacomputing.com
    description: Server for GCP (KSA) hosted organizations
  - url: https://aws-api.sigmacomputing.com
    description: Server for AWS US (West) hosted organizations
  - url: https://api.us-a.aws.sigmacomputing.com
    description: Server for AWS US (East) hosted organizations
  - url: https://api.ca.aws.sigmacomputing.com
    description: Server for AWS Canada hosted organizations
  - url: https://api.eu.aws.sigmacomputing.com
    description: Server for AWS Europe hosted organizations
  - url: https://api.au.aws.sigmacomputing.com
    description: Server for AWS Australia and APAC hosted organizations
  - url: https://api.uk.aws.sigmacomputing.com
    description: Server for AWS UK hosted organizations
  - url: https://api.us.azure.sigmacomputing.com
    description: Server for Azure US hosted organizations
  - url: https://api.eu.azure.sigmacomputing.com
    description: Server for Azure Europe hosted organizations
  - url: https://api.ca.azure.sigmacomputing.com
    description: Server for Azure Canada hosted organizations
  - url: https://api.uk.azure.sigmacomputing.com
    description: Server for Azure United Kingdom hosted organizations
  - url: https://api.au.azure.sigmacomputing.com
    description: Server for Azure Australia hosted organizations
components:
  schemas:
    V2SamlServiceProvidersSamlServiceProviderIdCertificatesSamlServiceProviderCertificateIdGetResponsesContentApplicationJsonSchemaPurpose:
      type: string
      enum:
        - signing
        - encryption
      description: >-
        Purpose of the certificate. Use `signing` for signing SAML requests and
        `encryption` for encrypting SAML responses.
      title: >-
        V2SamlServiceProvidersSamlServiceProviderIdCertificatesSamlServiceProviderCertificateIdGetResponsesContentApplicationJsonSchemaPurpose
    saml_getSamlServiceProviderCertificate_Response_200:
      type: object
      properties:
        samlServiceProviderCertificateId:
          type: string
          description: Unique identifier of the SAML service provider certificate
        samlServiceProviderId:
          type: string
          description: Unique identifier of the SAML service provider
        purpose:
          $ref: >-
            #/components/schemas/V2SamlServiceProvidersSamlServiceProviderIdCertificatesSamlServiceProviderCertificateIdGetResponsesContentApplicationJsonSchemaPurpose
          description: >-
            Purpose of the certificate. Use `signing` for signing SAML requests
            and `encryption` for encrypting SAML responses.
        publicKeyCertificate:
          type: string
          description: PEM-encoded X.509 certificate
        isActive:
          type: boolean
          description: Whether the certificate is currently active
        notBefore:
          type: string
          format: date-time
          description: Date and time when the certificate becomes valid
        notAfter:
          type: string
          format: date-time
          description: Date and time when the certificate expires
        createdAt:
          type: string
          format: date-time
          description: When the certificate was created
        createdBy:
          type: string
          description: Identifier of the user who created the certificate
        updatedAt:
          type: string
          format: date-time
          description: When the certificate was last updated
        updatedBy:
          type: string
          description: Identifier of the user who last updated the certificate
      required:
        - samlServiceProviderCertificateId
        - samlServiceProviderId
        - purpose
        - publicKeyCertificate
        - isActive
        - notBefore
        - notAfter
        - createdAt
        - createdBy
        - updatedAt
        - updatedBy
      title: saml_getSamlServiceProviderCertificate_Response_200
  securitySchemes:
    OAuth:
      type: http
      scheme: bearer
      description: OAuth 2.0 authentication

```

## Examples



**Request**

```json
{}
```

**Response**

```json
{
  "samlServiceProviderCertificateId": "cert-9f8b7c6d-1234-4a56-b789-0cdef1234567",
  "samlServiceProviderId": "sp-4a3b2c1d-5678-4e90-8f12-3456789abcde",
  "purpose": "signing",
  "publicKeyCertificate": "-----BEGIN CERTIFICATE-----\nMIIDdzCCAl+gAwIBAgIEb1Zk1zANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQGEwJV\nUzELMAkGA1UECAwCQ0ExEDAOBgNVBAcMB1NhbiBKb3NlMRMwEQYDVQQKDApFeGFt\ncGxlIEluYzEZMBcGA1UECwwQRXhhbXBsZSBEZXBhcnRtZW50MRQwEgYDVQQDDAtl\nbmNyeXB0LmNvbTAeFw0yNDAxMTUxMDMwMDBaFw0yNTAxMTUxMDMwMDBaMG8xCzAJ\nBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEQMA4GA1UEBwwHU2FuIEpvc2UxEzARBgNV\nBAoMCkV4YW1wbGUgSW5jMRkwFwYDVQQLDBBFeGFtcGxlIERlcGFydG1lbnQxFDAS\nBgNVBAMMC2VuY3J5cHQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEAtV6Xq6Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v\n7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v\n7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v\n7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v\n7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v\n7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v\n7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v\n7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v\n7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v7Xq1v\n-----END CERTIFICATE-----",
  "isActive": true,
  "notBefore": "2024-01-15T09:30:00Z",
  "notAfter": "2026-01-15T09:30:00Z",
  "createdAt": "2024-01-10T14:22:00Z",
  "createdBy": "admin-user-1234",
  "updatedAt": "2024-04-01T11:15:00Z",
  "updatedBy": "admin-user-5678"
}
```

**SDK Code**

```python
import requests

url = "https://api.sigmacomputing.com/v2/saml/service-providers/samlServiceProviderId/certificates/samlServiceProviderCertificateId"

payload = {}
headers = {
    "Authorization": "<token>.",
    "Content-Type": "application/json"
}

response = requests.get(url, json=payload, headers=headers)

print(response.json())
```

```javascript
const url = 'https://api.sigmacomputing.com/v2/saml/service-providers/samlServiceProviderId/certificates/samlServiceProviderCertificateId';
const options = {
  method: 'GET',
  headers: {Authorization: '<token>.', 'Content-Type': 'application/json'},
  body: '{}'
};

try {
  const response = await fetch(url, options);
  const data = await response.json();
  console.log(data);
} catch (error) {
  console.error(error);
}
```

```go
package main

import (
	"fmt"
	"strings"
	"net/http"
	"io"
)

func main() {

	url := "https://api.sigmacomputing.com/v2/saml/service-providers/samlServiceProviderId/certificates/samlServiceProviderCertificateId"

	payload := strings.NewReader("{}")

	req, _ := http.NewRequest("GET", url, payload)

	req.Header.Add("Authorization", "<token>.")
	req.Header.Add("Content-Type", "application/json")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := io.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}
```

```ruby
require 'uri'
require 'net/http'

url = URI("https://api.sigmacomputing.com/v2/saml/service-providers/samlServiceProviderId/certificates/samlServiceProviderCertificateId")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true

request = Net::HTTP::Get.new(url)
request["Authorization"] = '<token>.'
request["Content-Type"] = 'application/json'
request.body = "{}"

response = http.request(request)
puts response.read_body
```

```java
import com.mashape.unirest.http.HttpResponse;
import com.mashape.unirest.http.Unirest;

HttpResponse<String> response = Unirest.get("https://api.sigmacomputing.com/v2/saml/service-providers/samlServiceProviderId/certificates/samlServiceProviderCertificateId")
  .header("Authorization", "<token>.")
  .header("Content-Type", "application/json")
  .body("{}")
  .asString();
```

```php
<?php
require_once('vendor/autoload.php');

$client = new \GuzzleHttp\Client();

$response = $client->request('GET', 'https://api.sigmacomputing.com/v2/saml/service-providers/samlServiceProviderId/certificates/samlServiceProviderCertificateId', [
  'body' => '{}',
  'headers' => [
    'Authorization' => '<token>.',
    'Content-Type' => 'application/json',
  ],
]);

echo $response->getBody();
```

```csharp
using RestSharp;

var client = new RestClient("https://api.sigmacomputing.com/v2/saml/service-providers/samlServiceProviderId/certificates/samlServiceProviderCertificateId");
var request = new RestRequest(Method.GET);
request.AddHeader("Authorization", "<token>.");
request.AddHeader("Content-Type", "application/json");
request.AddParameter("application/json", "{}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
```

```swift
import Foundation

let headers = [
  "Authorization": "<token>.",
  "Content-Type": "application/json"
]
let parameters = [] as [String : Any]

let postData = JSONSerialization.data(withJSONObject: parameters, options: [])

let request = NSMutableURLRequest(url: NSURL(string: "https://api.sigmacomputing.com/v2/saml/service-providers/samlServiceProviderId/certificates/samlServiceProviderCertificateId")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "GET"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error as Any)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()
```