Below are some best practices to follow when onboarding customers:
Check for any time skews that may lead to inconsistent timeout/session creation issues. Salesforce.com allows a maximum of three minutes for clock skew with your IDP server so ensure your server's clock is up-to-date.
Perform periodic testing to make sure that the time skew is within a couple of minutes.
A quick process can be written to fetch times from the IdP and SF (getServerTimeStamp() ) and get the difference to make sure it is within limits.
Periodically ensure that server certificates are not expired.
Example questions to ask when setting up SSO:
Who is their Identity Provider?
What method of SSO would they like to implement (e.g., SAML 1.1 or 2.0?
Do they want their users to login exclusively through SSO, or do they also want a username/password option?
What security requirements do they have around SSO?
Would they like to support an identity provider initiated flow, a service provider initiated flow, or both?
When does their campaign launch?