Loading
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Replace the Default Proxy Certificate for SAML Single Sign-On

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Replace the Default Proxy Certificate for SAML Single Sign-On

            The proxy.salesforce.com default certificate has been retired due to its expiration and for security best practices. If your Salesforce org uses this certificate for SAML single sign-on, act now to prevent a possible interruption of service.

            Available in: Both Salesforce Classic and Lightning Experience
            Available in: Essentials, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Contact Manager Editions

            Beginning with the Winter ’18 release, Salesforce is switching away from the default proxy certificate even if you are still using it. Before the Winter ’18 release, manually migrate to a self-signed certificate and update identity providers to prevent an interruption in service. We recommend switching from the default certificate even if your identity provider doesn’t validate signatures in SAML requests.

            1. If you are using Single SAML Configurations, enable multiple configurations by clicking Enable Multiple Configs under Single Sign-On Settings. Read and understand all the instructions on that page. Enabling multiple configurations switches the certificate, so skip Step 2.
            2. Edit each affected configuration by changing the Request Signing Certificate to a certificate in your org. If you don’t have a certificate and key pair you want to use, upload one or select Generate self-signed certificate.
            3. Check whether service provider-initiated SAML works properly for your configuration. If it does, no identity provider updates are necessary, and you can skip steps four and five.
              If you migrated from a single to multiple configurations, update the Assertion Consumer Service URL.
            4. If identity provider updates are necessary, download the certificate you selected for the Request Signing Certificate.
            5. Upload this certificate into the identity provider for use in validating SAML requests from Salesforce. If you migrated to multiple configurations from a single configuration, note the Salesforce Login URL and update the value in the identity provider.
             
            Loading
            Salesforce Help | Article