SP certificate expiration
Cantor, Scott
cantor.2 at osu.edu
Tue Apr 26 18:30:48 EDT 2016
On 4/26/16, 6:18 PM, "users on behalf of Andrew Morgan" <users-bounces at shibboleth.net on behalf of morgan at orst.edu> wrote:
>I'm testing SAML integration between Salesforce and our IDP v3.2.
>Salesforce's metadata contains a CA-signed certificate that expires in
>2017. It sounds like I can generate a self-signed certificate in
>Salesforce and configure Salesforce to sign SAML requests with it.
>However, the self-signed certificates in Salesforce are only valid for 1
>year.
Yes, that's my observation.
>Some Googling around indicates that the IDP doesn't care if the
>certificate expires. Can anyone confirm that?
It doesn't care.
>Can I enable assertion encryption using this self-signed certificate that
>will expire in 1 year?
It's likely that Salesforce will break and refuse to keep using it at that point.
>What have other people done for Salesforce?
I disabled encryption (or more accurately with V3 I use the optional encryption feature). I don't allow it to be used if it means building a time bomb into the system. I've refused to enable it for several vendors that tried to pull the same nonsense.
-- Scott
More information about the users
mailing list