When your proxy certificate expires, update the certificate, and import the new certificate into Salesforce. You also receive a notification through email, when your proxy certificate is expired or about to expire. For details, see Reverse Proxy Certificate Expiration Notification.
To update your proxy certificate:
- Click Renew Certificate from your Salesforce Managed Service.
- A dialog box warning you to update SSO configurations appears. Click Renew. A confirmation appears, informing you that the certificate is created and updated shortly.
- Log in to your managed service (without SSO) and make sure you can access Salesforce via proxy to confirm that the certificate has been pushed.
- In your tenant, go to the Managed Service and select the SAML Certificates link. Then click Download SAML Certificate.
- After downloading the certificate, log into Salesforce and go to Setup > Security Controls > Single Sign-on Settings. Edit the settings for SSO config, and upload the certificate you downloaded from the proxy to the Identity Provider Certificate setting.
- Save your changes.
Test using the procedures outlined below.
To test the new proxy certificate:
- Log in and open the Okta Homepage. You should see your Salesforce application. If not, you need to go back to admin and assign the application to your user account.
- After pressing the Salesforce button, you should be directed via the reverse proxy to your Salesforce sandbox.