Skip to main content

Configure SAML SSO using the API

You can configure SAML SSO using the DigiCert® Private CA API instead of the UI.

Use this option for automation or scripted deployments in a customer-hosted environment.

Retrieve the Private CA service provider metadata

Use this request to retrieve the DigiCert Private CA service provider metadata.

curl -sk 'https://<your-ca-host>/certificate-authority/api/v1/auth/saml/metadata' \
  -H 'accept: application/xml, text/xml' \
  -H 'x-api-key: <superadmin-api-key>'

The response returns SAML service provider metadata XML.

<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
  entityID="https://<your-ca-host>/certificate-authority/api/v1/auth/saml/metadata">
  <SPSSODescriptor
    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
    AuthnRequestsSigned="false"
    WantAssertionsSigned="true">
    <AssertionConsumerService
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
      Location="https://<your-ca-host>/certificate-authority/api/v1/auth/saml/acs"
      index="0"/>
  </SPSSODescriptor>
</EntityDescriptor>

Save the SAML SSO configuration

Use this request to save the SAML SSO configuration.

curl -sk -X POST 'https://<your-ca-host>/certificate-authority/api/v1/api/saml/config' \
  -H 'Content-Type: application/json' \
  -H 'x-api-key: <superadmin-api-key>' \
  -d '{
    "enabled": true,
    "idpEntityId": "https://your-idp.example.com/app/entity-id",
    "idpSsoUrl": "https://your-idp.example.com/sso",
    "idpMetadataXml": "<full IdP metadata XML string>",
    "idpCertificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
  }'

Expected response:

{
  "message": "SAML configuration saved successfully"
}

Verify that SAML SSO is enabled

Use this request to confirm that SAML SSO is enabled.

curl -sk 'https://<your-ca-host>/certificate-authority/api/v1/auth/saml/enabled' \
  -H 'x-api-key: <api-key>'

Expected response:

{
  "enabled": true
}