Create certificate profiles for SAML IdP authentication
To create a certificate profile for SAML IdP authentication in DigiCert® Trust Lifecycle Manager:
Open DigiCert® Trust Lifecycle Manager.
Go to Policies > Base templates and select the Generic User, Generic Server, or Generic Device template.
In this example, we use the Generic User Certificate template and the DigiCert Desktop Client enrollment method.
On the Primary options page:
Select the appropriate business unit and issuing CA.
Enter a profile name.
Select an enrollment method. In this example, we use DigiCert Desktop Client.
Select SAML IdP as the authentication method.
Select Next to configure the required certificate fields (Subject DN) for the Private CA, and select a source of either SAML Assertion, Entered by User or Fixed Value.
Note
The SAML Assertion value must match the Claims value in Azure.
Select Next.
On the Certificate options page:
Under Certificate fields, select the validity period of the certificate, required key size, and algorithm.
Under Flow options, enable Allow duplicate certificates if you want to allow duplicate certificates with the same Subject DN to be issued.
Under Renewal options, select when requests to renew certificates can be submitted.
Under Subject DN and SAN fields, select the required certificate fields, and then specify the source of each of those fields.
Select Next.
On the Extensions page, configure the required certificate extensions:
Key Usage
Extended Key Usage (EKU)
Select Next.
On the Additional options page:
Under Certificate delivery format, select the format in which certificates should be sent.
Under Email configuration & notifications, enable and configure email templates for automatic notification of certain events.
Under Administrative contact, enter the contact information for the profile you are configuring, which end-users can use if they have SAML enrollment issues.
Under LDAP search, specify whether certificates can be found with the DigiCert® Trust Lifecycle Manager LDAP service.
Select Next.
On the Advanced settings page:
Under Seat ID Mapping, select a field to bind to your seat ID. This is used to uniquely identify the user, device, or server that the seat is for, e.g. Subject DN: CN, Email.
If you already have your SAML IdP configuration data, under Configure SAML IDP, enter the corresponding values from your Azure Portal. Otherwise, enter fake placeholder data.
Select Create to save the profile configuration.
Select your new profile.
Under Advanced settings, select Download SP Metadata to download the temporary SAML metadata file that is used to configure your SAML IdP.
When you have a profile for SAML IdP authentication, create an app in Microsoft Azure AD.