Update: September 2017

Retirement of Default Certificate affects SAML Single Sign On into Salesforce

Salesforce continues to work on the default certificate expiration.  For Security best practices, they will retire the use of the client certificate with the Salesforce Winter 18 release (to be rolled out starting October 6, 2017...SAFE HARBOR).  During the Winter '18 release, your SAML Single Sign-On configurations that use the default certificate will be switched to a self-signed certificate automatically.  For more details, please refer to this Salesforce Knowledge Article.




Due to the upcoming expiration of the default client certificate ( and for security best practices, Salesforce will retire the use of this client certificate on August 7, 2017 at 9:30AM US Pacific Time (16:30 UTC).  Customers using the following features may be impacted:


  • Single Sign-On using Service Provided (SP)-Initiated SAML
  • Delegated authentication
  • Workflow automated messaging
  • AJAX proxy
  • PageReference.getContent() Apexcall
  • PageReference.getContentAsPDF() Apexcall


We highly suggest you refer to the following Salesforce Knowledge Article for details and questions.


In this document Salesforce provides the actions you can take to mitigate this retirement.


Additionally, there is a great discussion on this within the Salesforce Success Community, Official: Salesforce Infrastructure group which can be found here:…