Active Directory Federation Services limitation for each Salesforce Org while configuring Single Sign On
|Knowledge Article Number||000163471|
|Description||When setting up Single Sign On (SSO and SAML) between Salesforce and Active Directory Federation Services (ADFS), there is a known limitation of ADFS whereby a unique certificate for each salesforce org (proxy certificate) is required. However there is only one certificate provided by Salesforce as all the SAML requests are sent by the same proxy.|
Normally, a Relaying Party in ADFS has to be configured for every Service Provider (Salesforce org), using the metadata that can be downloaded from the Single Sign On settings page within Salesforce or by entering the values manually. The fact that all SAML requests are sent by the same proxy from the SP (Salesforce) to the IdP, means that ADFS will prevent the creation of another Relaying Party as the same proxy certificate can't be provided twice.
To overcome this ADFS limitation, instead of having individual Relaying Party configurations for each Salesforce org, you'll only need to configure a single Relaying Party in ADFS, and then add your My Domain for each org as "Relaying Party Identifiers" under the "Identifier" tab, and add each "Salesforce Login URL" as "SAML Assertion Consumer Endpoints" under the "Endpoints" tab.