Salesforce Platform: Replace an Expired Certificate in SSO (Single Sign-On) Settings

How to Update an Expiring Identity Provider Certificate in Single Sign-On Settings

Overview
When your Identity Provider certificate is about to expire or has already expired, you need to update it in your Salesforce SSO (Single Sign-On) settings. SSO is an authentication method that allows users to access Salesforce using credentials from an external identity provider rather than a Salesforce-specific username and password. The certificate used in SSO settings authenticates the identity provider using SAML (Security Assertion Markup Language), which is a standard protocol for exchanging authentication and authorization data between an identity provider and a service provider.

The Identity Provider certificate is shared by the IDP (Identity Provider) team and needs to be uploaded in Salesforce under the Single Sign-On Settings. If the certificate is going to expire soon or has already expired, the Identity Provider team (third party) will get a new certificate issued and share it with the Salesforce System Admin of your company.

Why This Matters
SAML certificates have expiration dates for security purposes. When a certificate expires, users will be unable to authenticate via SSO, resulting in login failures and productivity disruptions.

Who This Affects
This affects organizations using SAML-based Single Sign-On with an external identity provider such as:

• Okta, Azure AD, Ping Identity, OneLogin (common enterprise identity providers)
• Custom SAML identity providers (organizations running their own identity management systems)
• Federated authentication setups (any organization where users authenticate through a third-party system)

Prerequisites
Before replacing an expired or expiring SSO certificate, ensure you have:

Access & Permissions

• System Administrator profile or "Modify All Data" permission
• Access to Setup → Identity → Single Sign-On Settings
• Backup admin account with username/password authentication available

Certificate Requirements

• For IDP Certificate: New certificate file from your Identity Provider team in .crt or .cer format
• For Salesforce Certificate(Self-Signed): Access to Certificate and Key Management in Setup

Coordination

• Schedule the certificate replacement with your IDP team to minimize downtime
• Plan to update certificates on both the IDP side and Salesforce simultaneously
• Notify users of potential brief SSO disruption during the update window

Understanding Certificate Types in Salesforce SSO

There are two primary types of certificates used in SAML-based Single Sign-On configurations:

1. Identity Provider (IDP) Certificate.
   • Issued and maintained by your third-party Identity Provider (e.g., Okta, Azure AD, Ping Identity).
   • Used to verify SAML assertions sent from the IDP to Salesforce
   • Stored in Salesforce under Single Sign-On Settings
   • Typical lifespan: 1-3 years (varies by IDP)
   • Must be updated in Salesforce when the IDP issues a new certificate
2. Service Provider (Salesforce) Certificate.
   • Generated within Salesforce via Certificate and Key Management
   • Used when Salesforce initiates SAML requests (SP-initiated SSO)
   • Self-signed certificates created in Salesforce
   • Available key sizes: 2048-bit and 3072-bit (1 year validity), 4096-bit (2 years validity)
   • File extension: .crt

Step-by-Step Instructions

Replacing an Identity Provider Certificate (Most Common)

1. Navigate to Single Sign-On Settings
   • In Lightning Experience: Click the Gear icon → Setup → Identity → Single Sign-On Settings.
   • In Salesforce Classic: Setup → Administer → Security Controls → Single Sign-On Settings
2. Edit Your SSO Configuration
   • Locate the SSO setting that needs the certificate update
   • Click Edit
3. Upload the New Certificate
   • Find the Identity Provider Certificate field
   • Click Choose File
   • Select your new certificate file (.crt or .cer extension)
   • Verify the correct file is selected
4. Save Changes
5. Coordinate with IDP Team
   • Ensure your IDP team updates their certificate at the same time
   • Mismatched certificates will cause SSO authentication failures

Generating a New Self-Signed Certificate (Service Provider - If Needed)

1. Access Certificate Management
   • From Setup, enter "Certificate" in the Quick Find box
   • Select Certificate and Key Management
2. Create Certificate
   • Click Create Self-Signed Certificate
3. Configure Certificate Details
   • Label: Enter a descriptive name (e.g., "SSO Certificate 2026")
   • Unique Name: Use auto-populated name or customize (alphanumeric and underscores only, must start with a letter)
   • Key Size:
     • 2048-bit or 3072-bit: 1-year validity, faster performance
     • 4096-bit: 2-year validity, recommended for Shield Platform Encryption
4. Save and Download
5. Click Save
   • Certificate and keys are automatically generated
   • Download the .crt file for sharing with your IDP
     Note: Maximum of 50 certificates allowed per org
6. Update IDP Configuration
   • Provide the downloaded .crt file to your IDP team
   • They will update their SAML configuration with your new certificate