ACTION REQUIRED: Retirement of Default Certificate affects SAML Single Sign On into Salesforce

Product & Service Notification
As an admin of a Salesforce org that uses the client certificate with SAML Single Sign-On, we wanted to remind you that this client certificate is being retired on August 7, 2017. You may need to take action prior to the Winter '18 release* to prevent any disruption to the Salesforce service.

* Currently targeted for October 2017; date subject to change.
What is it?
What is the change?
Due to the upcoming expiration of the default client certificate and for security best practices, we will retire the use of the client certificate onAugust 7, 2017. After August 7, 2017, Salesforce will continue to sign SAMLrequests with the default cert until the Winter '18 release. During the Winter '18 release, your SAML Single Sign-On configurations that use the default certificate will be switched to a self-signed certificate automatically.
How do I know if I am impacted?
You are impacted by this change if your organization uses Service Provider (SP)-Initiated SAML login to Salesforce and your Identity Provider validates signatures in SAML requests. If you do not take action before the Winter '18 release, your users may be unable to login via single sign-on to Salesforce at that time.
What action do I need to take?
If your Salesforce org uses SP-Initiated SAML login to Salesforce, and your Identity Provider validate signatures in SAML requests, action is required to ensure there is no disruption to your Salesforce service after the Winter '18 release. Switch to a self-managed client certificate prior to the Winter '18 release.

If your org uses SP-initiated SAML Login to Salesforce without Identity Provider validation, Salesforce recommends switching to a self-managed client certificate to prevent future issues.

If your organization uses multiple SAML configurations, you must change the request signing certificate to a self-managed certificate instead of the default certificate. You must also upload the new certificate to your Identity Provider for use in validation of SAML requests.

If your organization does not use Multiple SAML Configurations, you must migrate to Multiple SAML Configurations by clicking the "Enable Multiple Configs" button onthe Single Sign-On settings page. Please make sure to read and understand the information on the migration page when doing so. After migration, you will need to update your Identity Provider to change the Assertion Consumer Service URL as well upload the new certificate for use in validation of SAML Requests.
Where can I get more information?
For more information on configuring SAML for single sign-on review the Configure SAML Settings for Single Sign-On help topic. You can also participate in the Official: Salesforce Infrastructure Success Community Group to follow the latest updates and discussion on this impact. 

For additional questions, open a case with Support via the Help & Training portal.
Was this article helpful?
0 out of 0 found this helpful


Powered by Zendesk