SP certificate expiration

Cantor, Scott cantor.2 at osu.edu
Wed Apr 27 09:41:45 EDT 2016

On 4/27/16, 7:04 AM, "users on behalf of Losen, Stephen C. (scl)" <users-bounces at shibboleth.net on behalf of scl at eservices.virginia.edu> wrote:

>Would you be willing to share with me your Salesforce SP setup?  I admin the Shibboleth IDP here and a department is trying to set up SAML on their Salesforce instance using the web tool. They keep sending me screen shots asking me what to do and I have offered some suggestions, but we can't get it working.  We get past the Shib IDP login, but the username is not being recognized by the SP.  We are sending eppn as an attribute using the "urn:oid..." style name.  I don't have access to the web tool (I'm not the Salesforce customer).

That doesn't matter. If you're the IdP admin, you need to have permanent access to the Salesforce admin tool for SSO setup. If you don't, you will have no way to manage change or revocation of your credentials, and the inability to address the latter is just not acceptable if you're going to operate securely.

You simply need to make that a condition of enabling SSO with these sorts of applications.

If they resist that, you can take 5 minutes explaining to them that enabling SSO via SAML means that you have the ability to impersonate anybody at anytime to any connected SP anyway.

-- Scott

More information about the users mailing list