Skip to main content

SAML service workflow

Important

XML Metadata Note:

If you're using the SAML Certificate Requests feature, you can't use the same XML metadata for both configurations. The SAML SSO entity ID must be different than the SAML guest request entity ID.

Provide DigiCert with your Identity Provider (IdP) metadata

To configure SAML Single Sign-on (SSO) for your CertCentral account, the first item on the SAML Admin to-do list is to set up your IdP metadata. You can do this with a dynamic URL or static XML metadata from your IdP:

  • Dynamic metadata:

    Configure your IdP via a dynamic URL that links to your IdP metadata. With a dynamic link, your metadata is updated automatically. If you have users signing in to your account daily, it updates every 24 hours. If it’s been longer than 24 hours since someone signed in, it will update the next time a user signs in to your account.

  • Static metadata:

    Configure your IdP by uploading a static XML file that contains all your IDP metadata. To update your metadata, you'll need to sign in to your account and upload a new XML file with the updated IdP metadata.

Match CertCentral users to SSO users: assign an attribute or use the nameID field

For SAML Single Sign-On to be successful, DigiCert must match CertCentral users with their SSO username. You must decide how to match users' SSO assertions with their usernames in CertCentral.

  • Attribute:

    You can assign an attribute (such as email) in SSO to identify users with CertCentral accounts. DigiCert will use this attribute to match CertCentral usernames with their SSO users.

  • NameID:

    You can use the NameID field to identify CertCentral users. DigiCert will use the NameID field to match CertCentral usernames with their SSO users.

Regardless of the identifying method used – attribute or the NameID field – for a user to sign in to their account, DigiCert must be able to match a CertCentral username to the selected SAML assertion value.

Federation Name

To make it easier for your SAML SSO users to identify your SP-initiated custom SSO URL, we recommend adding a federation name (friendly name). This name will be part of the SP-initiated custom SSO URL. You can send this custom URL to your SSO only users for signing in to their account.

Notice

The federation name must be unique. We recommend using your company name.

DigiCert Service Provider (SP) metadata

After you set up the Identity Provider metadata, assigned the attributes for identifying all single sign-on users, and added a federation name, we provide you with the DigiCert SP metadata. This metadata must be added to your IdP so the connection between your IdP and CertCentral account can be made. You can use a dynamic URL or XML metadata.

  • Dynamic metadata:

    Add the DigiCert SP metadata to your IdP using a dynamic URL that your IdP can access as needed to maintain updated metadata.

  • Static metadata:

    Add the DigiCert SP metadata to your IdP using a static XML file. If you need to update your IdP, you'll need to sign in to your CertCentral account and get an updated XML file with DigiCert’s SP metadata.

Service provider (SP) initiated custom SSO login URL or Identity Provider (IdP) initiated SSO login URL

Once you’ve added DigiCert’s SP metadata to your IdP, use SAML SSO to sign in to your CertCentral account. Sign in via the SP initiated custom SSO login URL or your own IdP initiated login URL.

  • SP initiated custom SSO login URL:

    Along with the new SAML process changes, a new custom SSO login URL is created. SSO users use it to sign in to their CertCentral account (example of a custom SSO login URL: https://www.digicert.com/account/sso/ "federation-name" /login).

  • IdP initiated SSO login URL:

    If you prefer, use an IdP initiated login URL to sign in to your CertCentral account as well. However, you'll need to provide your SSO users with this IdP initiated URL or application.

Confirm IdP connection

Ready to finalize your SAML SSO connection? Sign in to your CertCentral account via your SSO URL (SP or IdP initiated) for the first time to finalize the connection.