Loading

SSO Working with Expired Self-Signed Certificate and the IDP is not Salesforce

Udgivelsesdato: Jun 15, 2026
Beskrivelse

Single Sign-On (SSO) allows users to authenticate once and gain access to multiple systems without logging in separately to each one. In Salesforce, when an external Identity Provider (IDP) — not Salesforce itself — controls authentication, you may notice that SSO continues to work correctly even after the self-signed certificate used as the Request Signing Certificate has expired.

Løsning

Why This Behavior Occurs

When the IDP is not Salesforce, the IDP has control over how the self-signed certificate is used for secure communication and authentication. Salesforce does not control how the IDP validates or enforces certificate expiration. As a result, SSO may continue to function even with an expired certificate, because the IDP is the entity choosing whether to enforce certificate validity.

 

Steps to Replace the Expired Certificate

If you want to continue using a self-signed certificate solution, use the links in the Additional Resources section below to generate a new self-signed Salesforce certificate and replace the expired one in your Single Sign-On settings.

Vidensartikelnummer

000392854

 
Indlæser
Salesforce Help | Article