Skip to main content

Configure SAML Single Sign-On

Before you begin

Make sure you meet the prerequisites:

  • You have SAML enabled for your account.

  • You have your IdP metadata (dynamic or static).

  • You have what you need to match CertCentral users to SAML users (Name ID field or attribute).

See SAML single sign-on prerequisites and SAML service workflow.

Configure SAML Single Sign-on

  1. Go to the Federation Settings page.

    1. In sidebar menu, click Settings > Single Sign-On.

    2. On the Single Sign-on (SS) page, click Edit Federation Settings.

  2. Set up your identity provider metadata.

    On the Federation Settings page, in the Your IDP's Metadata section, complete the tasks below.

    1. Add IdP metadata

      Under How will you send data from your IDP?, use one of these options to add your metadata:

      1. XML Metadata

        Provide DigiCert with your IdP metadata in XML format.

        If your IdP metadata changes, you'll need to manually update your IdP metadata in your account.

      2. Use a dynamic URL

        Provide DigiCert with the link to your IdP metadata.

        If your IdP metadata changes, your IdP metadata is updated automatically in your account.

    2. Identify users.

      For SAML Single Sign-On sign-in to be successful, you must decide how to match your SSO assertion with the SSO users’ usernames in CertCentral.

      Under How will you identify a user?, use one of these options to match SSO users with their usernames in CertCentral.

      1. NameID

        Use the NameID field to match your CertCentral users to their SAML Single Sign-on (SSO) users.

      2. Use a SAML attribute

        Use an attribute to match your CertCentral users to their SAML Single Sign-on (SSO) users.

        In the box, enter the attribute you want to use (for example, email).

        This attribute needs to appear in the assertation your IdP sends to DigiCert:

        <AttributeStatement> <Attribute Name="email" > <AttributeValue> user@example.com </AttributeValue> </Attribute> </AttributeStatement>

    3. Add a federation name.

      Under Federation Name, enter a federation name (friendly name) to include in the custom SSO URL that is created. You will send this SSO URL to SSO-only users.

      Note

      The federation name must be unique. We recommend using your company name.

    4. Include Federation Name:

      By default, we add your Federation Name to the

      IdP Selection page where your SSO users can easily access your SP Initiated Custom SSO URL.

      To keep your Federation Name from appearing in the list of IdPs on the IdP Selection page, uncheck Add my Federation Name to the list of IdPs.

    5. Save.

      When you are finished, click Save & Finish.

  3. Add the DigiCert service provider (SP) metadata

    On the Single Sign-on (SSO) page, in the DigiCert’s SP Metadata section, complete one of these tasks to add the DigiCert SP metadata to your IdP's metadata:

    • Dynamic URL for DigiCert's SP metadata

      Copy the dynamic URL to the DigiCert SP metadata and add it to your IdP to help make the SSO connection.

      If the DigiCert SP metadata ever changes, your SP metadata is updated automatically in your IdP.

    • Static XML

      Copy the DigiCert XML formatted SP metadata and add it to your IdP to help make the SSO connection.

      If the DigiCert SP metadata ever changes, you'll need to manually update in your IdP.

  4. Configure SSO Settings for users

    When adding users to your account, you can restrict users to Single Sign-on authentication only (SSO-only users). These users don't have API access (e.g., can't create working API keys).

    To allow SSO-only users to create API keys and build API integrations, check Enable API access for SSO-only users.

    Note

    The Enable API access for SSO-only users option allows SSO-only users with API keys to bypass Single Sign-on. Disabling API access for SSO-only users doesn't revoke existing API keys. It only blocks the creation of new API keys.

  5. Sign in and finalize the SAML SSO to CertCentral connection

    On the Single Sign-on page, in the SP Initiated Custom SSO URL section, copy the URL and paste it into a browser. Then, use your IdP credentials to sign in to your CertCentral account.

    Note

    The Enable API access for SSO-only users option allows SSO-only users with API keys to bypass Single Sign-on. Disabling API access for SSO-only users doesn't revoke existing API keys. It only blocks the creation of new API keys.

What's next

Start managing your Single Sign-on users in your account (add SAML SSO-only users to your account, convert existing account users to SAML SSO-only users, etc.). See Managing SAML Single Sign-on (SSO) users and Allow access to SAML Settings permission.