Certificates

Single Sign-On uses single login credentials to access the authorized resources for multiple organizations. This process involves communication between multiple applications or organizations. It is necessary to identify if the source of the authentication request or response is a trusted application. The applications or organizations use certificates for this identification process. Certificates are used to verify, encrypt, and decrypt the request and response sent to/from Service Provider/Identity Provider.

The Single Sign-On process involves multiple certificates, which includes mandatory and optional certificates. The certificates involved in process of Single Sign-On are:

• Request Signing Certificate.
• Token Encryption Certificate
• Token Signing Certificate
• Self-Signed Certificate
• CA Signed Certificate

Request Signing Certificate

The Request Signing Certificate is used to sign SAML requests. Salesforce signs the request using the request signing certificate. It is necessary to share the request signing certificate with the IDP/ADFS 2.0 to check the signature.

To check the validity of Request Signing Certificate in ADFS 2.0:

1. Navigate to the ADFS server and open the Active Directory Federation Services (ADFS) 2.0 Management console. 
2. In the left pane, expand Trust Relationships and click Relying Party Trusts. 
3. Right-click the appropriate Relying Party Trust and click Properties. The Salesforce Properties window appears.
   The Salesforce Properties window
   (Click the image to expand it.)
   
   
4. Click the Signature tab to view the certificate details.

Token Encryption Certificate

The Token Encryption Certificate is used to encrypt the SAML tokens. Salesforce application must provide ADFS 2.0 with the token encryption certificate. This certificate needs to be imported in ADFS 2.0 for configuration of Salesforce. Once you import the certificate in relying party’s configuration, the issuer and expiry date of certificate in ADFS is displayed.

To check the validity of Token Encryption Certificate in ADFS 2.0:

1. Refer to Step 1 to Step 3. The Salesforce Properties window appears.
   The Salesforce Properties window
   (Click the image to expand it.)
   
   
2. Click the Encryption tab to view the certificate details.

Token Signing Certificate

The Token Signing Certificate is considered as a mandatory certificate. Identity Provider issues this certificate and the Salesforce application consumes it. Using the public key in this certificate, Salesforce checks the authenticity of encrypted security token. Once the certificate is imported in Salesforce then we can see the expiry date of that certificate. For more information, see https://technet.microsoft.com/en-us/library/hh341466.aspx

To check the validity of Token Signing Certificate in Salesforce:

1. Login to Salesforce. 
2. In the Administration Setup section, expand Security Controls and click Single Sign-On Settings. 
3. The Single Sign-On Settings page appears.
   Single Sign-on Settings Page
   (Click the image to expand it.)
   
   
4. Click the appropriate SSO Configuration. Single Sign-on Setting page of that configuration displaying the certificate validity appears.
   The Single Sign-On Settings page displaying the IDP Certificate validity
   (Click the image to expand it.)
   
   

Self-Signed Certificate

A self-signed certificate is signed by the application whose identity it certifies.

CA Signed Certificate

CA or Certificate Authority Signed Certificate is signed by a CA Authority. This certificate is used to create a trust relationship between two applications or organizations such as Salesforce and ADFS 2.0.

For more information related to CA Signed Certificate, please see the links below:

• https://www.instantssl.com/ssl-certificate-support/csr-generation/iis-ssl-certificate-7x.html
• https://support.godaddy.com/help/article/4800/generating-iis-7-csrs-certificate-signing-requests?countrysite=in