Loading

SSO Working with Expired Self-Signed Certificate and the IDP is not Salesforce

Data pubblicazione: Jun 15, 2026
Descrizione

Single Sign-On (SSO) allows users to authenticate once and gain access to multiple systems without logging in separately to each one. In Salesforce, when an external Identity Provider (IDP) — not Salesforce itself — controls authentication, you may notice that SSO continues to work correctly even after the self-signed certificate used as the Request Signing Certificate has expired.

Risoluzione

Why This Behavior Occurs

When the IDP is not Salesforce, the IDP has control over how the self-signed certificate is used for secure communication and authentication. Salesforce does not control how the IDP validates or enforces certificate expiration. As a result, SSO may continue to function even with an expired certificate, because the IDP is the entity choosing whether to enforce certificate validity.

 

Steps to Replace the Expired Certificate

If you want to continue using a self-signed certificate solution, use the links in the Additional Resources section below to generate a new self-signed Salesforce certificate and replace the expired one in your Single Sign-On settings.

Numero articolo Knowledge

000392854

 
Caricamento
Salesforce Help | Article