Configure SAML SSO using the API
You can configure SAML SSO using the DigiCert® Private CA API instead of the UI.
Use this option for automation or scripted deployments in a customer-hosted environment.
Retrieve the Private CA service provider metadata
Use this request to retrieve the DigiCert Private CA service provider metadata.
curl -sk 'https://<your-ca-host>/certificate-authority/api/v1/auth/saml/metadata' \ -H 'accept: application/xml, text/xml' \ -H 'x-api-key: <superadmin-api-key>'
The response returns SAML service provider metadata XML.
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://<your-ca-host>/certificate-authority/api/v1/auth/saml/metadata">
<SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
AuthnRequestsSigned="false"
WantAssertionsSigned="true">
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://<your-ca-host>/certificate-authority/api/v1/auth/saml/acs"
index="0"/>
</SPSSODescriptor>
</EntityDescriptor>Save the SAML SSO configuration
Use this request to save the SAML SSO configuration.
curl -sk -X POST 'https://<your-ca-host>/certificate-authority/api/v1/api/saml/config' \
-H 'Content-Type: application/json' \
-H 'x-api-key: <superadmin-api-key>' \
-d '{
"enabled": true,
"idpEntityId": "https://your-idp.example.com/app/entity-id",
"idpSsoUrl": "https://your-idp.example.com/sso",
"idpMetadataXml": "<full IdP metadata XML string>",
"idpCertificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
}'Expected response:
{
"message": "SAML configuration saved successfully"
}Verify that SAML SSO is enabled
Use this request to confirm that SAML SSO is enabled.
curl -sk 'https://<your-ca-host>/certificate-authority/api/v1/auth/saml/enabled' \ -H 'x-api-key: <api-key>'
Expected response:
{
"enabled": true
}