Skip to main content

Configure SAML single sign-on

How to configure you security assertion markup language (SAML) single sign-on in CertCentral.

Before you begin

Make sure you meet the prerequisites:

  • SAML enabled for your CertCentral account

  • Have your identity provider (IdP) metadata (dynamic or static)

  • Have what you need to match CertCentral users to SAML users, such as the Name ID or an attribute.

To learn more about these prerequisites, see the SAML single sign-on prerequisites and SAML service workflow pages.

Configure SAML single sign-on

  1. Go to the Federation Settings page.

    1. In left menu, select Settings > Single Sign-On.

    2. On the Single Sign-on (SS) page, select Edit Federation Settings.

  2. Set up your identity provider metadata.

    On the Configure SAML integration page, under Federation settings page, in the Your IDP's Metadata section, do the following tasks.

    1. Add IdP metadata

      Under How will you send data from your IDP, use one of these options to add your metadata:

      1. XML Metadata

        Provide DigiCert with your IdP metadata in XML format.

        With this option, if your IdP metadata changes, you must manually update your IdP metadata in CertCentral

      2. Use a dynamic URL

        Provide DigiCert with the link to your IdP metadata.

        With this option, if your IdP metadata changes, your IdP metadata is updated automatically in CertCentral.

    2. Identify users.

      For SAML single sign-on to be successful, you must decide how to match your SSO assertion with the SSO users’ usernames in CertCentral.

      Under How will you identify a user, use one of these options to match SSO users with their usernames in CertCentral.

      1. NameID

        Use the NameID field to match your CertCentral users to their SAML single sign-on (SSO) users.

      2. Use a SAML attribute

        In the box, enter the attribute you’re using to match your CertCentral users to their SAML single sign-on (SSO) users.

        This attribute needs to appear in the assertion your IdP sends to DigiCert, for example, email:

        <AttributeStatement> <AttributeName="email"> <AttributeValue>user@example.com </AttributeValue> </Attribute> </AttributeStatement>

    3. Add a federation name.

      The federation name must be unique. We recommend using your company name.

      Under Federation Name, enter a federation name to include in the custom SSO URL that is created. Once created, share this SSO URL to SSO-only users.

      Important

      If using Entra ID, use this federation name as the value for the <companycode>.

    4. Include Federation Name:

      By default, we add your Federation Name to the IdP Selection page where your SSO users can easily access your SP Initiated Custom SSO URL.

      To keep your Federation Name from appearing on the IdP Selection page, deselect Include my federation name to the list of IDPs.

  3. Configure single logout

    Select Use single logout service to logout from IDP to log out from your IDP as you log out of CertCentral.

    With this enabled, CertCentral sends a message to your IDP telling it to terminate the session on the IDP as you log out of CertCentral.

  4. Add the DigiCert service provider (SP) metadata

    Under DigiCert’s Service Provider (SP) Metadata, do one of these tasks to add the DigiCert SP metadata to your IdP's metadata:

    • Dynamic URL for DigiCert's SP metadata

      Copy the dynamic URL to the DigiCert SP metadata and add it to your IdP to help make the SSO connection.

      With this option, if the DigiCert SP metadata ever changes, your SP metadata is updated automatically in your IdP.

    • Static XML

      Select the Static XML Metadata link. Then under Static XML, copy the DigiCert XML formatted SP metadata. Add the static XML to your IdP to help make the SSO connection.

      With this option, if the DigiCert SP metadata ever changes, you must manually update in your IdP.

  5. Once ready, select Save SAML settings.

  6. Configure SSO Settings for users

    While adding users to your account, you can restrict users to single sign-on authentication only, making them SSO-only users. These users don't have API access and can't create API keys.

    API keys for SSO-only users

    To allow SSO-only users to create API keys and build API Integrations, select Enable API access for SSO-only users.

    • The Enable API access for SSO-only users option allows SSO-only users with API keys to bypass single sign-on.

    • Disabling API access for SSO-only users doesn't revoke existing API keys. It only blocks the creation of new API keys.

  7. Sign in and finalize the SAML SSO to CertCentral connection

    On the Single Sign-on page, in the SP Initiated Custom SSO URL section, copy the URL and enter it into a browser. Then, use your IdP credentials to sign in to your CertCentral account.

What's next

Begin managing your single sign-on users in CertCentral. To learn about managing users in CertCentral, see our Managing SAML Single Sign-on (SSO) users and Allow access to SAML Settings permission instructions.

In this section: