SAML Signing Certificate Is Being Retired

As previously communicated in Default Certificate to Retire on August 7, 2017, we are deprecating our SAML proxy certificate. If your Salesforce organization has a Single Sign-On configuration that uses this certificate, take action to prevent a possible interruption of service for login requests initiated from Salesforce.
Available in: All Editions

If your organization has a Single Sign-On configuration that uses a certificate that’s being retired, and has the ability to initiate SAML login requests from Salesforce, we strongly encourage you to enable Multiple SAML Configurations on the Single Sign-On Settings page. Make sure you read and understand the information on the page. Consider the following scenarios:
  • Even if you aren’t currently using SAML, enabling multiple configurations can prevent possible problems with SAML Single Sign-On in the future.
  • If you are using SAML with your Single Sign-On configuration, to continue initiating SAML login requests from Salesforce, you must enable Multiple SAML Configurations and select a certificate for those requests. Make the necessary changes to your Identity Provider, also. If you don’t initiate SAML login requests from Salesforce, you can remove the Identity Provider Login URL from your Single Sign-On Setting instead. However, you can’t add one back until you enable Multiple SAML Configurations. If you don’t act by the Winter ‘18 release, we’ll switch you to a new certificate, and your ability to initiate SAML login requests from Salesforce can be affected.
  • If you already have Multiple SAML Configurations enabled, to continue initiating SAML login requests from Salesforce with those settings, you must select a new Request Signing Certificate for each one. Go to Single Sign On-Settings and update any SAML Single Sign-On configurations that have an Identity Provider Login URL and are currently using the default certificate as the Request Signing Certificate. If your Identity Provider validates signatures for SAML login requests initiated by Salesforce, upload the new certificate to your Identity Provider Your ability to initiate SAML login requests from Salesforce can be affected until you do. If you don’t act by the Winter ‘18 release, we’ll switch you to a new certificate, and your ability to initiate SAML login requests from Salesforce can be affected.