diff --git a/content/manuals/enterprise/security/single-sign-on/FAQs/idp-faqs.md b/content/manuals/enterprise/security/single-sign-on/FAQs/idp-faqs.md
index 66e99b874e43..8a5fcc8b5de7 100644
--- a/content/manuals/enterprise/security/single-sign-on/FAQs/idp-faqs.md
+++ b/content/manuals/enterprise/security/single-sign-on/FAQs/idp-faqs.md
@@ -5,9 +5,9 @@ description: Frequently asked questions about Docker SSO and identity provider c
 keywords: identity providers, SSO IdP, SAML, Azure AD, Entra ID, certificate management
 tags: [FAQ]
 aliases:
-- /single-sign-on/idp-faqs/
-- /faq/security/single-sign-on/idp-faqs/
-- /security/faqs/single-sign-on/idp-faqs/
+  - /single-sign-on/idp-faqs/
+  - /faq/security/single-sign-on/idp-faqs/
+  - /security/faqs/single-sign-on/idp-faqs/
 ---
 
 ## Can I use multiple identity providers with Docker SSO?
@@ -29,6 +29,16 @@ To turn on SSO in Docker, you need the following from your IdP:
 
 If your certificate expires, contact your identity provider to retrieve a new X.509 certificate. Then update the certificate in the [SSO configuration settings](/manuals/enterprise/security/single-sign-on/manage.md#manage-sso-connections) in the Docker Admin Console.
 
+### Workarounds if users are locked out
+
+If the certificate has already expired and users cannot access Docker Hub to update the certificate:
+
+- Contact Docker Support to help you regain access to update the certificate
+- Sign in with your Docker username and password to access the Admin Console (if SSO enforcement is not turned on)
+- Maintain a dedicated administrator account (sometimes called a "break-glass" or "guest user" account) that is not subject to SSO for emergency access
+
+To prevent lockouts, monitor your certificate expiration dates and renew certificates before they expire.
+
 ## What happens if my IdP goes down when SSO is turned on?
 
 If SSO is enforced, users can't access Docker Hub when your IdP is down. Users can still access Docker Hub images from the CLI using personal access tokens.