Here are some of the things we tend to see with BMC Helix Remedyforce and Single Sign-On.
Active Directory Federation Services (ADFS):
Proactively hoping to avoid an outage due to an expiring certificate admins upload a new primary certificate and make the expiring certificate the secondary certificate in the ADFS Relying Trust. What happens? No one can login!
Why? Salesforce does not, perhaps cannot, check more than one certificate. It can only use the certificate configured in the Salesforce Single Sign-On Settings which it compares to the one configured in the primary trust in ADFS.
Solution: When a new or primary certificate is uploaded to the ADFS relying trust, be sure a Remedyforce Administrator is also logged into, or can log into Remedyforce, to update the certificate in the Single Sign-On Settings (SAML Single Sign-On Settings | Identity Provide Certificate | Choose File) this will eliminate any down time.