function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

SSO SSL understanding

HI,  I am very confused..


We are using code to communicate via SAML with Salesforce.


We are trying to be a ldP and I am confused on;


1. Do I create the Cert / Keys from Salesforce?  if Not then I use a CA to create, fine.

2. What is the FQDN or just domain name that should be used? ??  or my domain?

3. Do I upload the Cert or Private key to Salesforce?  Then I will understand what I need on myside.




Thank you for help/understanding.  These simple questions don't seem to be clear to me anywhere.




Scott T.Scott T.


1.) If you are acting as the IdP, you should be the one creating your keys / certificates - not Salesforce.  That way only you have a copy of the private signing key.  It can be sourced from a public or private CA, or even be a self-signed certificate.
2.) The cert / key is used for digital signing, and doesn't need the domain name to correspond to anything (so your SubjectName could be anything).  You will set's SP settings  ("Single Sign-On Settings") to explicitly trust it.
3.) You upload just the certificate.  The cert contains the public verification key that corresponds to the private signing key your IdP will use.
Hope that helps...



thanks Scott.  Hope you can anwser this too.  :)


Let me give you somemore background.


Our dev team is building the ldP portion on our IIS webserver(s).  They are builidng this using SAML code.

Enduser client > Load balancer > IIS webserver(s) > SSO > Salesforce/SP


So dev team is saying they need the public cert and private key in order to digitally sign the request they send to Salesforce/SP so Saleforce/SP knows it is us and trusted opposed to someone who is not trusted and has not digitally signed the request.


Now, as for as I understand via the handshaking process what they are asking is not needed but... I dont know 100%.


any guidance would be great.




Is this something Saleforce support will be able to anwser for me?



Scott T.Scott T.

I'm sure they could help yes.


I think the question is easy enough though...


SAML messages are transported via the browser itself, not via SSL connection directly between your IIS server and SFDC.  The SAML messages are carried as part of the HTTP payload.  You don't require an SSL certificate on your end.  However, you do need to digitally sign your Assertions at your IdP side.  For this, any certificate will do - it could even be a self-signed one.  You don't need to source it from a publicly trusted CA (such as VeriSign or Entrust).


You will import the public signing (verification) certificate in SSO configuration at SFDC.  The private signing key should only be held by your application itself.


Hope that helps...