Our organization is using the SF single sign on feature and the IDP certificate is expiring soon.
SAML SSO with ADFS are used. We need to minimize the user SSO service interruption and our questions include:
1) What is the best SF practice in order to minimize user SSO interruption when the current IDP (ADFS) certificate expires?
Beyond this already checked the doc : https://help.salesforce.com/apex/HTViewHelpDoc?id=sso_tips.htm&language=en
2) It is known ADFS generates a secondary certificate 20 days prior to the expiry date. This new IDP certificate will automatically promote and became the primary certificate 15 days prior to the expiry date. We believe all SF user SSO will fail at this point unless the IDP certificate is manually updated in the SF SSO setup. Please what is the advise to minimize this SF SSO interruption when the IDP certificate expires?
3). Is the IDP certificate be automatically updated in SF SSO?
4). Does SF SSO support a secondary IDP certificate and if so what is the procedure?
5). Please is it appropriate to setup a second SAML SSO settings with identical setting but with different certificates? Meaning, the 1st SSO config has the current IDP certificate to be expired and the 2nd SSO config has the new IDP certificate which is to be effective (to be auto promoted as the primary)?
Best Answer
Q: What is the advice to minimize this SF SSO interruption when the IDP certificate expires? A: A customer ran into this recently and all their users were impacted. Two approaches are: a) disable this feature on ADFS to have full control of timing, or b) determine when the new cert will be available and update it in Salesforce immediately after it becomes available. – cloud lover Feb 11 at 15:24
Q: Can the IDP certificate be automatically updated in SF SSO? A: You could have a Metadata API client that automatically updates the SamlSsoConfig metadata object to reflect the new validationCert. – cloud lover Feb 11 at 15:25
Q: Does SF SSO support a secondary IDP certificate and if so please advise the procedure? Is it appropriate to setup a second SAML SSO settings with identical setting but with different certificates? A: You can add another SAML config, which would allow you to enter a new cert, but you would need additional config on ADFS as you would need a different Issuer and Entity ID combination. This would make sense if ADFS can be configured to automatically change the Issuer and Entity ID, which would make the operation seamless. – cloud lover Feb 11 at 15:25