SP certificate expiration

Losen, Stephen C. (scl) scl at eservices.virginia.edu
Wed Apr 27 07:04:10 EDT 2016

Hi Andy,

Would you be willing to share with me your Salesforce SP setup?  I admin the Shibboleth IDP here and a department is trying to set up SAML on their Salesforce instance using the web tool. They keep sending me screen shots asking me what to do and I have offered some suggestions, but we can't get it working.  We get past the Shib IDP login, but the username is not being recognized by the SP.  We are sending eppn as an attribute using the "urn:oid..." style name.  I don't have access to the web tool (I'm not the Salesforce customer).  If you have something working could you describe what you did, or send me a screen shot.  My email addr is below, to avoid cluttering this mailing list.


Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at virginia.edu    434-924-0640

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Andrew Morgan
Sent: Tuesday, April 26, 2016 6:19 PM
To: Shib Users
Subject: SP certificate expiration

I'm testing SAML integration between Salesforce and our IDP v3.2. 
Salesforce's metadata contains a CA-signed certificate that expires in 
2017.  It sounds like I can generate a self-signed certificate in 
Salesforce and configure Salesforce to sign SAML requests with it. 
However, the self-signed certificates in Salesforce are only valid for 1 

Some Googling around indicates that the IDP doesn't care if the 
certificate expires.  Can anyone confirm that?

Can I enable assertion encryption using this self-signed certificate that 
will expire in 1 year?

What have other people done for Salesforce?

To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list