I have configured SSO using SalesForce as an Identity Provider and an external software system acting as a Service Provider. In order to ensure the identity of the external SP, a CA-Signed certificate was generated, signed by a CA, and uploaded to SalesForce. For the SalesForce Identity Provider, a CA-Signed certificate was generated on SalesForce.com, a CSR exported, signed by a CA, and re-imported back to SalesForce. However, when attempting to assign this CA-signed certificate for use with the SalesForce Identity Provider, it is not available to be used. Further research into the documentation uncovered that CA-signed certificates cannot be used for the SalesForce Identity Provider.

I am perplexed as to why SalesForce does not allow CA-signed certificates to be used for the Identity Provider, permitting only self-signed certificates to be used. This forces any external integrating application acting as a SP to expose a hole in their security to permit self-signed certificates.

Is there reasoning I am not seeing as to why this is still secure? Can an exception be made to use the uploaded CA-signed certificate for the SalesForce IDP? If not, is the ability to use CA-signed certificates planned for future enhancement? 

Thanks in advance!