Q: What is the advice to minimize this SF SSO interruption when the IDP certificate expires? A: A customer ran into this recently and all their users were impacted. Two approaches are: a) disable this feature on ADFS to have full control of timing, or b) determine when the new cert will be available and update it in Salesforce immediately after it becomes available. – cloud lover Feb 11 at 15:24
Q: Can the IDP certificate be automatically updated in SF SSO? A: You could have a Metadata API client that automatically updates the SamlSsoConfig metadata object to reflect the new validationCert. – cloud lover Feb 11 at 15:25
Q: Does SF SSO support a secondary IDP certificate and if so please advise the procedure? Is it appropriate to setup a second SAML SSO settings with identical setting but with different certificates? A: You can add another SAML config, which would allow you to enter a new cert, but you would need additional config on ADFS as you would need a different Issuer and Entity ID combination. This would make sense if ADFS can be configured to automatically change the Issuer and Entity ID, which would make the operation seamless. – cloud lover Feb 11 at 15:25
Best Answer
You can pass a session ID as an attribute in the SAML Assertion. In the Connected App configuration for your SP, set
$Api.Session_IDas a Custom Attribute value. The recipient will be able to use the session ID with the REST API.