Share This:

There are different reasons you couldn’t access your org, such as an expired password, a degradation issue from Salesforce, expired licenses, but the most common issue is related to the SSO certificates (in case you are using it). Users could get an error like: “We can't log you in. Check for an invalid assertion in the SAML Assertion Validator”. This error might give you a clue that something is happening with your SSO configuration and needs to be checked by the Admin of the org. Don’t wait to much time to have your org up and running again. 


If you are not familiar with SSO. You might be asking you, what is SSO? As per Salesforce definition: Single sign-on (SSO) lets users access authorized network resources with one login. You validate usernames and passwords against your corporate user database or other client app rather than Salesforce managing separate passwords for each resource. If you are interested on use SSO for your Salesforce org using ADFS check the following video:


Is highly recommended that the system administrators of the org can log in using SSO and This will help you to troubleshoot a possible issue with an SSO certificate. 


The first thing you need to do as the admin of the org is to login into your org using . Once you get there follow the net steps:

  1. Go to setup
  2. Under Identity
  3. Select Single Sign-On Settings
  4. Click Edit in the current SSO configuration your is using

There are 2 different certificates you need to look at:

  • Identity Provider Certificate: The authentication certificate issued by your identity provider.
  • Request Signing Certificate: The certificate is used to generate the signature on a SAML request to the identity provider. This signing certificate is used when Salesforce is the service provider for a service provider-initiated SAML login. You save the signing certificate from the Certificate and Key Management Set up page. If you haven’t saved one, Salesforce uses the global proxy certificate. But a signing certificate is preferred because it provides more control over events, such as certificate expiration.


There are different service providers you can use in your Salesforce org, such as Okta, ADFS, One Login, etc. It depends on what your company needs based on the infrastructure and requirements.

Check who is your service provider, based on that you will follow the steps as needed. In this case, I’ll show you the steps you need to follow is your service provider is ADFS and if the Request Self Signing Certificate has expired (you don’t need to do this process when you set up the SSO for the first time. The metadata file already contains the Self Signing Certificate). It is so much easier than you think! Check the following video: 



If the certificate that is about to expire is the Identity Provider Certificate. Check the following BMC article:


We hope this information was useful to you.

Other Resources