1. If you are using Single SAML Configurations, enable multiple configurations by clickingEnable Multiple Configs under Single Sign-On Settings. Read and understand all the instructions on that page. Enabling multiple configurations switches the certificate, so skip Step 2.
2. Edit each affected configuration by changing the Request Signing Certificate to a certificate in your org. If you don’t have a certificate and key pair you want to use, upload one or select Generate self-signed certificate.
3. Check whether service provider-initiated SAML works properly for your configuration. If it does, no identity provider updates are necessary, and you can skip steps four and five.If you migrated from a single to multiple configurations, update the Assertion Consumer Service URL.
4. If identity provider updates are necessary, download the certificate you selected for the Request Signing Certificate.
5. Upload this certificate into the identity provider for use in validating SAML requests from Salesforce. If you migrated to multiple configurations from a single configuration, note the Salesforce Login URL and update the value in the identity provider.