Skip to main content

Validate SAML SSO sign-in and logout

After you configure SAML SSO, validate sign-in, fallback local sign-in, and logout behavior in DigiCert® Private CA.

Validate SSO sign in

To Validate SSO sign-in:

  1. Open the DigiCert Private CA sign-in page.

  2. Confirm that Sign in with SSO is displayed.

  3. Select Sign in with SSO.

  4. Confirm that you are redirected to your identity provider sign-in page.

  5. Sign in with a user assigned to the SAML application.

  6. Confirm that you are redirected back to DigiCert Private CA.

Confirm the signed in user

After a successful SSO sign in, confirm the following in the Private CA.

Check

Expected result

Session

A session is created for the signed-in user.

User account

The user appears in the users list on the user management page.

User role

The user receives the expected role based on your SAML and role-mapping configuration.

Validate local fallback sign-in

Local superadmin sign-in remains available when SAML SSO is enabled.

  1. Sign out of the Private CA.

  2. Return to the sign-in page.

  3. Sign in with the local superadmin username and password.

  4. Confirm that local superadmin sign-in succeeds.

Validate SP-initiated logout

  1. Sign in to DigiCert Private CA using SSO.

  2. Select Logout.

  3. Confirm that you return to the sign-in page.

  4. Try to access a protected page.

  5. Confirm that access is denied until you sign in again.

Validate IdP-initiated logout

If your identity provider supports IdP-initiated logout, configure it to send single logout (SLO) requests to:

https://<your-ca-host>/certificate-authority/api/v1/auth/saml/slo

DigiCert Private CA validates the SLO request before completing logout.

Validation

Description

Issuer

The issuer must match the configured identity provider entity ID.

Destination

The destination must match the DigiCert Private CA SLO endpoint.

Expiration

The NotOnOrAfter value must not be expired.