Here are some of the things we tend to see with BMC Helix Remedyforce and Single Sign-On.
Active Directory Federation Services (ADFS):
Proactively hoping to avoid an outage due to an expiring certificate admins upload a new primary certificate and make the expiring certificate the secondary certificate in the ADFS Relying Trust. What happens? No one can login!
Why? Salesforce does not check more than one certificate. It can only use the certificate configured in the Salesforce Single Sign-On Settings which it compares to the one configured in the primary trust in ADFS.
Solution: When a new or primary certificate is uploaded to the ADFS relying trust, be sure a Remedyforce Administrator is also logged into, or can log into Remedyforce, to update the certificate in the Single Sign-On Settings (SAML Single Sign-On Settings | Identity Provide Certificate | Choose File) this will eliminate any down time.
When uploading a new certificate, the certificate is invalid. This does not happen very often, but when it does, the certificate can be checked using: https://www.sslshopper.com/certificate-decoder.html
Why? The certificate has been self generated incorrectly.
Solution: Purchase or generate another certificate.
10/17/19 - It has been a while. Here are the latest things we see surrounding Single Sign On... Single Sign On is generally pretty straight forward. The challenge is, it only needs to be configured once every year or two. In this case, "Fix and forget it," it is not our friend
ADFS: How to update a certificate that is about to expire:
1. Open ADFS | Expand Service | Click Certificates
2. Check the expiration date of the primary certificate in the Token-signing certificate section.
3. If it is about to expire it will need to be updated with a certificate that is either purchased or self generated. If there is more than one certificate the used by Salesforce will be the primary.
4. If the certificate needed is there export it, and if it is not there, add it as the primary.
5. Log into Salesforce | Go to Setup | Open the Single Sign on Settings
6. Click Edit in the Single Sign on Setting on the one configured.
7. By Identity provider certificate Click Choose file.
8. Upload the certificate exported in Step 4
9. Once the certificate has been uploaded verify users can log in using Single Sign On.
10. Bookmark the page so it can be found again in a year or when the cert needs to be updated.
How to Configure OneLogin: (Video by OneLogin for Onelogin - Safe Harbor)
How to Configure OKTA: (Video by OKTA for OKTA - Safe Harbor)