Skip to main content

SAML SSO prerequisites and required attributes

Before you configure SAML SSO, make sure your DigiCert® Private CA environment and identity provider are ready.

Prerequisites

Requirement

Description

DigiCert Private CA customer-hosted environment

A running DigiCert Private CA deployment in a customer-hosted environment.

Local superadmin account

Required to configure SAML SSO. Keep this account available for fallback access if your identity provider is unavailable.

SAML 2.0 identity provider

A SAML 2.0 compliant identity provider, such as Okta, Microsoft Entra ID, Keycloak, or ADFS.

Identity provider metadata XML

Metadata XML downloaded from your identity provider after you configure DigiCert Private CA as a SAML service provider.

Required SAML attributes

Configure your identity provider to include the following attributes in the SAML assertion.

Attribute

Description

email

Email address of the user. Private CA uses this value as the unique user identifier.

firstname

First name of the user

lastname

Last name of the user

groups

Optional. Group memberships used for role mapping, if configured.

Important behavior

  • DigiCert Private CA uses the email attribute as the unique user identifier.

  • Duplicate display names are allowed.

  • Only superadmin users can access Settings > SAML SSO.

  • External RelayState URLs are ignored to protect against open redirects. After sign-in, users land on the default DigiCert Private CA page.

  • Keep the local superadmin account available. Local superadmin sign-in remains available as a fallback when SSO is enabled.