Skip to main content

Configure your identity provider for SAML SSO

After you download the DigiCert® Private CA service provider metadata, configure a SAML 2.0 application in your identity provider.

The exact steps depend on your identity provider.

Supported configuration values

Use these values from DigiCert Private CA when configuring your identity provider.

Identity provider setting

DigiCert Private CA value

Entity ID, Audience URI, or Client ID

SP Entity ID

Reply URL, ACS URL, or Single Sign-On URL

Assertion Consumer Service URL

Logout URL or SLO URL

Single Logout URL

NameID format

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Configure Okta for SAML SSO

Configure Okta as the SAML identity provider for DigiCert Private CA.

Before you begin

Download the DigiCert Private CA service provider metadata or copy the service provider endpoint values.

To configure Okta:

  1. In the Okta Admin Console, go to Applications.

  2. Select Create App Integration.

  3. Select SAML 2.0.

  4. Set Single Sign-On URL to the DigiCert Private CA ACS URL.

  5. Set Audience URI to the DigiCert Private CA SP Entity ID.

  6. Add the following attribute statements.

    Attribute

    Value

    email

    User email address

    firstName

    User first name

    lastName

    User last name

  7. Assign the application to the required users or groups.

  8. Download the identity provider metadata XML from the Sign On tab.

  9. Upload the metadata XML in DigiCert Private CA.

Configure Microsoft Entra ID for SAML SSO

Configure Microsoft Entra ID as the SAML identity provider for DigiCert Private CA.

Before you begin

Download the Private CA service provider metadata or copy the service provider endpoint values.

To configure Microsoft Entra ID:

  1. In Microsoft Entra ID, go to Enterprise applications.

  2. Create a new non-gallery application.

  3. Configure Single sign-on using SAML.

  4. In Basic SAML Configuration, set Identifier (Entity ID) to the DigiCert Private CA SP Entity ID.

  5. Set Reply URL (ACS URL) to the DigiCert Private CA ACS URL.

  6. Configure attributes and claims for:

    • email

    • firstName

    • lastName

  7. Download the federation metadata XML.

  8. Upload the metadata XML in DigiCert Private CA.

Configure Keycloak for SAML SSO

Configure Keycloak as the SAML identity provider for DigiCert Private CA.

Before you begin

Download the DigiCert Private CA service provider metadata or copy the service provider endpoint values.

To configure Keycloak:

  1. Create a new SAML client.

  2. Set Client ID to the DigiCert Private CA SP Entity ID.

  3. Set Valid Redirect URIs to the DigiCert Private CA ACS URL.

  4. Configure mappers for:

    • email

    • firstName

    • lastName

  5. Export the identity provider metadata from Realm Settings > SAML 2.0 Identity Provider Metadata.

  6. Upload the metadata XML in DigiCert Private CA.