function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

SalesForce Identity Provider (IDP): Certificates

I have configured SSO using SalesForce as an Identity Provider and an external software system acting as a Service Provider. In order to ensure the identity of the external SP, a CA-Signed certificate was generated, signed by a CA, and uploaded to SalesForce. For the SalesForce Identity Provider, a CA-Signed certificate was generated on, a CSR exported, signed by a CA, and re-imported back to SalesForce. However, when attempting to assign this CA-signed certificate for use with the SalesForce Identity Provider, it is not available to be used. Further research into the documentation uncovered that CA-signed certificates cannot be used for the SalesForce Identity Provider.


I am perplexed as to why SalesForce does not allow CA-signed certificates to be used for the Identity Provider, permitting only self-signed certificates to be used. This forces any external integrating application acting as a SP to expose a hole in their security to permit self-signed certificates.

Is there reasoning I am not seeing as to why this is still secure? Can an exception be made to use the uploaded CA-signed certificate for the SalesForce IDP? If not, is the ability to use CA-signed certificates planned for future enhancement? 


Thanks in advance!


There is a list of Salesforce acredited CA's if you use a certificate signed by one of these you don't need to uplaod to sf the client cert.
We were once able to setup a 2ay SSL with the IBM datapower using a CA signed cert and SF using a self signed cert. It is infact a step lesser.