SAML SSO prerequisites and required attributes
Before you configure SAML SSO, make sure your DigiCert® Private CA environment and identity provider are ready.
Prerequisites
Requirement | Description |
|---|---|
DigiCert Private CA customer-hosted environment | A running DigiCert Private CA deployment in a customer-hosted environment. |
Local superadmin account | Required to configure SAML SSO. Keep this account available for fallback access if your identity provider is unavailable. |
SAML 2.0 identity provider | A SAML 2.0 compliant identity provider, such as Okta, Microsoft Entra ID, Keycloak, or ADFS. |
Identity provider metadata XML | Metadata XML downloaded from your identity provider after you configure DigiCert Private CA as a SAML service provider. |
Required SAML attributes
Configure your identity provider to include the following attributes in the SAML assertion.
Attribute | Description |
|---|---|
Email address of the user. Private CA uses this value as the unique user identifier. | |
firstname | First name of the user |
lastname | Last name of the user |
groups | Optional. Group memberships used for role mapping, if configured. |
Important behavior
DigiCert Private CA uses the email attribute as the unique user identifier.
Duplicate display names are allowed.
Only superadmin users can access Settings > SAML SSO.
External RelayState URLs are ignored to protect against open redirects. After sign-in, users land on the default DigiCert Private CA page.
Keep the local superadmin account available. Local superadmin sign-in remains available as a fallback when SSO is enabled.