Configure SAML Single Sign-On

Before you begin

Before you begin, make sure you've met the prerequisites:

  • Have SAML enabled for your account
  • Have your IdP metadata (dynamic or static)
  • Have what you need to match CertCentral users to SAML users (Name ID field or attribute).

See SAML single sign-on prerequisites and SAML service workflow.

Configure SAML Single Sign-on

  1. Go to the Federation Settings page

    1. In sidebar menu, click Settings > Single Sign-On.
    2. On the Single Sign-on (SS) page, click Edit Federation Settings.
  1. Set up your identity provider metadata

    On the Federation Settings page, in the Your IDP's Metadata section, complete the tasks below.

    1. Add IdP metadata
      Under How will you send data from your IDP?, use one of these options to add your metadata.
      1. XML Metadata
        Provide DigiCert with your IdP metadata in XML format.
        If your IdP metadata changes, you'll need to manually update your IdP metadata in your account.
      2. Use a dynamic URL
        Provide DigiCert with the link to your IdP metadata.
        If your IdP metadata changes, your IdP metadata is updated automatically in your account.
    2. Identify users
      For SAML Single Sign-On sign in to be successful, you must decide how to match your SSO assertion with the SSO users’ usernames in CertCentral.
      Under How will you identify a user?, use one of these options to match SSO users with their usernames in CertCentral.
      1. NameID
        Use the NameIDfield to match your CertCentral users to their SAML Single Sign-on (SSO) users.
      2. User a SAML attribute
        Use an attribute to match your CertCentral users to their SAML Single Sign-on (SSO) users.
        In the box, enter the attribute you want to use (for example, email).
        This attribute needs to appear in the assertation your IdP sends to DigiCert:
        <AttributeStatement>
        <Attribute
        Name="email">
        <AttributeValue>
        user@example.com
        </AttributeValue>
        </Attribute>
        </AttributeStatement>
    3. Add federation name
      Under Federation Name, enter a federation name (friendly name) to be included in the custom SSO URL that is created. You will send this SSO URL to SSO only users.
      Note: The federation name must be unique. We recommend using your company name.
    4. Include Federation Name
      By default, we add your Federation Name to the IdP Selection page where your SSO users can easily access your SP Initiated Custom SSO URL.
      To keep your Federation Name from appearing in the list of IdPs on the IdP Selection page, uncheck Add my Federation Name to the list of IdPs.
    5. Save
      When you are finished, click Save & Finish.
  1. Add the DigiCert service provider (SP) metadata

    On the Single Sign-on (SSO) page, in the DigiCert’s SP Metadata section, complete one of these tasks to add the DigiCert SP metadata to your IdP's metadata:

    • Dynamic URL for DigiCert's SP metadata
      Copy the dynamic URL to the DigiCert SP metadata and add it to your IdP to help make the SSO connection.
      If the DigiCert SP metadata ever changes, your SP metadata is updated automatically in your IdP.
    • Static XML
      Copy the DigiCert XML formatted SP metadata and add it to your IdP to help make the SSO connection.
      If the DigiCert SP metadata ever changes, you'll need to manually update in your IdP.
  1. Configure SSO Settings for users

    When adding users to your account, you can restrict users to Single Sign-on authentication only (SSO-only users). These users don't have API access (e.g., can't create working API keys).

    To allow SSO-only users to create API keys and build API integrations, check Enable API access for SSO-only users.

The Enable API access for SSO-only users option allows SSO-only users with API keys to bypass Single Sign-on. Disabling API access for SSO-only users doesn't revoke existing API keys. It only blocks the creation of new API keys.

  1. Sign in and finalize the SAML SSO to CertCentral connection

    On the Single Sign-on page, in the SP Initiated Custom SSO URL section, copy the URL and paste it into a browser. Then, use your IdP credentials to sign in to your CertCentral account.

If you prefer, use an IdP initiated login URL to sign in to your CertCentral account instead. However, you'll need to provide your SSO users with this IdP initiated URL or application.

What's next

Start managing your Single Sign-on users in your account (add SAML SSO-only users to your account, convert existing account users to SAML SSO-only users, etc.). See Managing SAML Single Sign-on (SSO) users and Allow access to SAML Settings permission.