This is a reminder that the default Salesforce client certificate (proxy.salesforce.com) will retire on August 7, 2017, at 9:30 a.m. US Pacific Time (16:30 UTC). As an admin of a Salesforce org that is configured to use this client certificate in one or more features, you may need to take action prior to August 7, 2017, to prevent any disruption to your use of Salesforce.
What is changing?
Due to the upcoming expiration of the default client certificate, and for security best practices, we will retire the use of this client certificate on August 7, 2017. Customers using the following features may be impacted:
* Customers using SP-initiated SAML will only be impacted if they are configured to sign SAML Requests with the default certificate, and their Identity Provider (IdP) is configured to validate the signature on those SAML requests. After August 7, 2017, Salesforce will continue to sign SAML requests with the default certificate until the Winter '18 release. During the Winter '18 release, your SAML Single Sign-On configurations that use the proxy.salesforce.com default certificate will be switched to a self-signed certificate automatically.
** Only customers that are calling out to HTTPS endpoints that request or require a client certificate are affected. After August 7, 2017, Salesforce will no longer send the default certificate as a client certificate to HTTPS endpoints.
What action do I need to take?
If you are impacted by this change, to ensure no disruption to these features, you will need to switch to a self-managed client certificate with these features prior to August 7, 2017 at 9:30 a.m. US Pacific Time (16:30 UTC). SP-initiated SAML has until the Winter '18 release* to use the default certificate, but the HTTPS callout features will stop using the default certificate on August 7, 2017.
* Currently targeted for October 2017; date subject to change.
What will happen if I don’t take the required actions?
If you do not take the aforementioned actions by August 7, 2017, those features may stop working entirely in your Salesforce environment.
NOTE: Your users will no longer be able to log in to your Salesforce org if you have enabled the following:
•
SP-initiated SAML configured to sign SAML Requests with the default certificate, and where your IdP is configured to validate the signature on SAML requests. Salesforce, however, will continue to sign SAML requests with the default certificate until the Winter '18 release.
•
Delegated authentication that is configured to call out to HTTPS endpoints that request or require a client certificate. Unlike SAML, Salesforce will stop using the default certificate on August 7, 2017, for delegated authentication; it does not extend to Winter '18.
Comments