Configure SAML Certificate Requests

Before you begin

  • Have SAML enabled for your account.
  • Have your IdP metadata (dynamic or static).
  • Have the field mappings configured in the SAML assertion.

See SAML certificate request prerequisites and the Field Mappings expected from SAML assertion section in SAML certificate requests service workflow.

Configure SAML certificate requests

  1. Go to the Federation Settings page

    1. In the sidebar menu, click Settings > SAML Certificate Requests.
    2. On the SAML Certificate Requests page, click Edit Federation Settings.

  1. Verify your IdP's metadata

    On the Federation Settings page, in the Field Mapping section, verify that you've supplied the specified SAML attributes in your SAML assertation. See the Field Mappings expected from SAML assertion section in SAML certificate requests service workflow.

  1. Set up your identity provider metadata

    On the Federation Settings page, in the Your IDP's Metadata section, complete the tasks below:

    1. Add IdP metadata
      Under How will you send data from your IDP?, use one of these options to add your metadata:
      1. XML Metadata
        Provide DigiCert with your IdP metadata in XML format.
        If your IdP metadata changes, you'll need to manually update your IdP metadata in your account.
      2. Use a dynamic URL
        Provide DigiCert with the link to your IdP metadata.
        If your IdP metadata changes, your IdP metadata is updated automatically in your account.
    2. Add federation name
      Under Federation Name, enter a federation name (friendly name) to be included in the SP-initiated SAML certificate request URL that is created. You will send this URL to your SAML users.
      The federation name will also be in the title of your SP-initiated Certificate Request sign-in page
      Note: The federation name must be unique. We recommend using your company name.
    3. Include Federation Name
      By default, we add your Federation Name to the IdP Selection page where your SSO users can easily access your SP Initiated Custom SSO URL for your SAML certificate requests.
      To keep your Federation Name from appearing in the list of IdPs on the IdP Selection page, uncheck Add my Federation Name to the list of IdPs.
    4. Enable client certificates for SAML certificate requests
      Under Product Options, select the types of client certificates you want your SAML users to order, once authenticated to SAML certificate request:
      1. Digital Signature Plus (client authentication + email signing + document signing)
      2. Authentication Plus (client authentication + document signing)
      3. Premium (client authentication + email encryption + email signing + document signing)
      4. Authentication Only (client authentication)
    5. Save
      When you are finished, click Save & Finish.

  1. Add the DigiCert service provider (SP) metadata

    On the SAML Certificate Request page, in the DigiCert’s SP Metadata section, complete one of these tasks to add the DigiCert SP metadata to your IdP's metadata:

    • Dynamic URL for DigiCert's SP metadata
      Copy the dynamic URL provided by DigiCert to our SP metadata. Add it to your IdP to help make the SAML Certificate Request connection.
      If the DigiCert SP metadata ever changes, your SP metadata is updated automatically in your IdP.
    • Static XML
      Copy the XML formatted SP metadata provided by DigiCert. Add it to your IdP to help make the SAML Certificate Request connection.
      If the DigiCert SP metadata ever changes, you'll need to manually update in your IdP.

  1. Sign in and finalize the SAML authenticated certificate requests connection

    On the SAML Certificate Request page, in the SAML Certificate URL section, copy the URL and paste it into a browser. Then, use your IdP credentials to sign in and authenticate to SAML certificate requests.

If you prefer, you can use an IdP initiated login URL to sign in to your SAML certificate request instead. However, you need to provide your SAML users with this IdP initiated URL or application.

What's next?

You can now share the SAML certificate request URL and allow your non-CertCentral users to order their client certificates. Share these instructions with SAML users or send them with the SAML certificate requests URL.

About

DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.

©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.