SP certificate expiration

Cantor, Scott cantor.2 at osu.edu
Tue Apr 26 18:30:48 EDT 2016

On 4/26/16, 6:18 PM, "users on behalf of Andrew Morgan" <users-bounces at shibboleth.net on behalf of morgan at orst.edu> wrote:

>I'm testing SAML integration between Salesforce and our IDP v3.2. 
>Salesforce's metadata contains a CA-signed certificate that expires in 
>2017.  It sounds like I can generate a self-signed certificate in 
>Salesforce and configure Salesforce to sign SAML requests with it. 
>However, the self-signed certificates in Salesforce are only valid for 1 

Yes, that's my observation.

>Some Googling around indicates that the IDP doesn't care if the 
>certificate expires.  Can anyone confirm that?

It doesn't care.

>Can I enable assertion encryption using this self-signed certificate that 
>will expire in 1 year?

It's likely that Salesforce will break and refuse to keep using it at that point.

>What have other people done for Salesforce?

I disabled encryption (or more accurately with V3 I use the optional encryption feature). I don't allow it to be used if it means building a time bomb into the system. I've refused to enable it for several vendors that tried to pull the same nonsense.

-- Scott

More information about the users mailing list