Validate SAML SSO sign-in and logout
After you configure SAML SSO, validate sign-in, fallback local sign-in, and logout behavior in DigiCert® Private CA.
Validate SSO sign in
To Validate SSO sign-in:
Open the DigiCert Private CA sign-in page.
Confirm that Sign in with SSO is displayed.
Select Sign in with SSO.
Confirm that you are redirected to your identity provider sign-in page.
Sign in with a user assigned to the SAML application.
Confirm that you are redirected back to DigiCert Private CA.
Confirm the signed in user
After a successful SSO sign in, confirm the following in the Private CA.
Check | Expected result |
|---|---|
Session | A session is created for the signed-in user. |
User account | The user appears in the users list on the user management page. |
User role | The user receives the expected role based on your SAML and role-mapping configuration. |
Validate local fallback sign-in
Local superadmin sign-in remains available when SAML SSO is enabled.
Sign out of the Private CA.
Return to the sign-in page.
Sign in with the local superadmin username and password.
Confirm that local superadmin sign-in succeeds.
Validate SP-initiated logout
Sign in to DigiCert Private CA using SSO.
Select Logout.
Confirm that you return to the sign-in page.
Try to access a protected page.
Confirm that access is denied until you sign in again.
Validate IdP-initiated logout
If your identity provider supports IdP-initiated logout, configure it to send single logout (SLO) requests to:
https://<your-ca-host>/certificate-authority/api/v1/auth/saml/slo
DigiCert Private CA validates the SLO request before completing logout.
Validation | Description |
|---|---|
Issuer | The issuer must match the configured identity provider entity ID. |
Destination | The destination must match the DigiCert Private CA SLO endpoint. |
Expiration | The |