SAML certificate requests service workflow
XML Metadata Note
If you're using the SAML Single Sign-On feature, you can't use the same XML metadata for both configurations. The SAML certificate request entity ID must be different than the SAML SSO entity ID.
To configure SAML certificate requests for your CertCentral account, the first item on the SAML Admin to-do list is to set up your IdP metadata. You can do this with a dynamic URL or static XML metadata from your IdP.
- Dynamic metadata
Configure your IdP via a dynamic URL that links to your IdP metadata. With a dynamic link, your metadata is updated automatically. If you have users signing in to your account daily, it updates every 24 hours. If it’s been longer than 24 hours since someone signed in, it will update the next time a user signs in your account.
- Static metadata
Configure your IdP by uploading a static XML file that contains all your IDP metadata. To update your metadata, you'll need to sign in to your account and upload a new XML file with the updated IdP metadata.
To make it easier for your SAML users to identify your SP-initiated certificate request URL, we recommend adding a federation (friendly name) to it. This name will be part of the SP-initiated certificate request URL that you can send to SAML users for requesting Client certificates. It will also be included in the title of your SP-initiated certificate request sign in page.
The federation name must be unique; we recommend using your company name.
Field Mappings expected from SAML assertion
For SAML certificate request to be successful, you must configure the field mappings on the IdP side in the SAML assertion.
We will look for the SAML attribute "organization".
The organization attribute must match an active organization in your CertCentral account; one that DigiCert has validated for organization validation (OV). For example, if you want to use DigiCert, Inc., then your SAML “organization” attribute must be “DigiCert, Inc.” (
- Common Name
We will look for the SAML attribute “common_name”. The domain must match a domain in your CertCentral account that DigiCert has validated for organization validation (OV).
- Email Address
We will look for the SAML attribute “email”
- Person ID (optional)
The Personal ID is only required if NameID is not included in the assertion. If the NameID is not included, we will look for the SAML attribute “person_id”.
The “person_id” attribute must be unique to the user. This ID allows them to access their previously placed orders.
These field mappings must be configured on the IdP side so that DigiCert can properly parse the metadata and display the correct information in your SAML certificate request Client certificate request forms.
Example SAML assertion
Products available on the certificate request form
You must select the client certificates your SAML users can order once authenticated to the SAML certificates requests page. Currently, we only support client certificates for SAML certificates requests.
To enable a client certificate for your SAML certificate request, it must be enabled for your account. To get a client certificate enabled for your account, contact your account, contact your DigiCert account representative or our Support team.
- Authentication Only – Provides client authentication.
- Authentication Plus – Provides client authentication and document signing*.
- Digital Signature Plus – Provides client authentication, email signing, and document signing*.
- Premium – Provides client authentication, email encryption, email signing, and document signing*.
For programs that support the application of digital signatures and encryption, clients can sign documents and encrypt their valuable data such as documents. For programs that use the Adobe Approved Trust List, you'll need to use a DigiCert Document Signing certificate.
Product limit configurations
The product limits that you configure on the Product Settings page in your CertCentral don't apply to the products for the SAML certificate request feature. (In the sidebar menu, click Settings > Product Settings).
Currently, the SAML certificate request feature doesn't support the addition of custom fields on the certificate request form.
- Don’t use required custom fields
If you plan to enable the client certificate for SAML certificate requests, don't add required custom fields to the certificate. Required custom fields break the SAML certificate request process and cause it to error out.
- Optional custom fields aren't included on SAML certificate request forms
You can add optional custom fields to a client certificate form and still enable that certificate for SAML certificate requests. However, the optional custom fields are not passed through to the SAML certificate request form.
After you've set up the Identity Provider metadata, added a federation name, and configured the allowed client certificate products for the certificate requests, we'll provide you with DigiCert’s SP metadata. This metadata must be added to your IdP so that the connection between your IdP and CertCentral account can be made. You can use a dynamic URL or XML metadata.
- Dynamic metadata
Add DigiCert’s SP metadata to your IdP using a dynamic URL that your IdP can access as needed to maintain updated metadata.
- Static metadata
Add DigiCert’s SP metadata to your IdP using a static XML file. If you need to update your IdP in the future, you'll need to sign in to your CertCentral account and get an updated XML file with DigiCert’s SP metadata.
Service provider (SP) initiated custom certificate request URL or Identity Provider (IdP) initiated certificate request URL
Once you’ve added DigiCert’s SP metadata to your IdP, use the SAML certificate request URL to request a client certificate. Sign in via the SP initiated custom certificate request URL or your own IdP initiated certificate request URL.
- SP initiated custom certificate request URL
Along with the new SAML process changes, a new custom certificate request URL is created. SSO users can use it to request a client certificate (for example, https://www.digicert.com/account/saml-certificate-request/"federation-name"/login).
- IdP initiated certificate request URL
If you prefer, use an IdP initiated login URL to sign in and order the client certificate as well. However, you'll need to provide your SAML users with this IdP initiated URL or application.
Ready to finalize your SAML certificate request URL connection. Sign in to the certificate request URL (SP or IdP initiated) for the first time to finalize the connection.