SAML Signing Certificate Has Been Retired
As previously communicated by Salesforce (Default Certificate to Retire on August 7, 2017) the proxy.salesforce.com default certificate has been retired due to its expiration and for security best practices. If your Salesforce org uses this certificate (the “Default Certificate”) for a SAML single sign-on (SSO) configuration, act now to prevent a possible interruption of service.
What has changed?
Beginning with the Winter ’18 release, Salesforce is switching away from the default proxy certificate even if you are still using it. Before the Winter ’18 release, you should manually migrate to a self-signed certificate and update identity providers to prevent an interruption in service (Winter ’18 release will roll out the first and second weekend of October). We recommend switching from the default certificate even if your identity provider doesn’t validate signatures in SAML requests.
How do I know if I’m impacted?
If your org uses SP-initiated SAML login to Salesforce and your identity provider (IdP) validates signatures in SAML requests, this change impacts you. If you do not act before the Winter ’18 release, your users can’t log in via single sign-on to Salesforce.
Also, this change can impact you now or in the future, even if you only use:
SAML for single sign-on.
SP-initiated SAML single sign-on, and don’t use your IdP to validate SAML request signatures.
What do I do?
If your org does not use Single Sign-on, then no action is needed.
If your org uses SP-initiated SAML login to Salesforce, and your IdP validates signatures in SAML requests, switch to a self-managed client certificate before the Winter ’18 release. You should act now to prevent disruption to your Salesforce service.
If your org uses SP-initiated SAML login to Salesforce without IdP validation of signatures in SAML requests, Salesforce recommends switching to a self-managed client certificate to prevent future issues.
If your organization uses multiple SAML configurations, change the request signing certificate from the default certificate to a self-managed certificate. Upload the new certificate to your IdP for use in validation of SAML requests.
If your organization doesn’t use multiple SAML configurations, migrate to multiple SAML configurations by clicking Enable Multiple Configs under Single Sign-On Settings. Make sure to read and understand the information on the migration page before doing so. After migration, update your IdP to change the Assertion Consumer Service URL and upload the new certificate for use in validation of SAML requests.
For more information email firstname.lastname@example.org