Skip to main content

Configure SAML certificate requests

Use these steps to connect your identity provider (IdP) to CertCentral and generate the SAML certificate requests URL for your users.

Important

If your CertCentral account also uses SAML single sign-on, the entity ID for SAML certificate requests must be different from the entity ID for SAML SSO. You cannot use the same XML metadata for both configurations.

Before you begin

  • Confirm you meet all prerequisites. See SAML prerequisites.

  • Confirm the following field mappings are configured in your SAML assertion on the IdP side before starting configuration:

SAML attribute

Description

organization

Must match an active organization validated by DigiCert for organization validation (OV). For example: DigiCert, Inc.

common_name

Must match a domain validated by DigiCert for OV.

email

The user's email address.

person_id

Required only if NameID is not included in the assertion. Must be unique per user. Allows users to access previously placed orders.

voorbeeld 1. Example SAML assertion:
<saml:AttributeStatement>
    <saml:Attribute Name="organization">
        <saml:AttributeValue>Example Organization</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="common_name">
        <saml:AttributeValue>Jane Doe</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="email">
        <saml:AttributeValue>j.doe@example.com</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="person_id">
        <saml:AttributeValue>455c486547814cf1bcb7dcd9da91f8f6</saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>

Configure SAML certificate requests

  1. In the CertCentral main menu, go to Settings > SAML Certificate Requests.

  2. On the SAML Certificate Requests page, select Edit Federation Settings.

  3. On the Federation Settings page, in the Field Mapping section, confirm that the required SAML attributes are configured in your SAML assertion on the IdP side.

  4. Under Your IdP's Metadata, add your IdP metadata using one of the following options:

    • XML Metadata — provide IdP metadata in XML format. If your IdP metadata changes, update the XML manually in your account.

    • Dynamic URL — provide the link to your IdP metadata. If your IdP metadata changes, it updates automatically in your account.

  5. Under Federation Name, enter a federation name to include in the SP-initiated SAML certificate request URL. This name also appears in the title of your SP-initiated certificate request sign-in page.

    Notice

    The federation name must be unique. DigiCert recommends using your company name.

  6. By default, DigiCert adds your federation name to the IdP Selection page so SSO users can access your SP-initiated certificate request URL.

    To prevent this, clear Add my Federation Name to the list of IdPs.

  7. Under Product Options, select the client certificate types your SAML users can order after authenticating:

    • Digital Signature Plus (client authentication, email signing, document signing)

    • Authentication Plus (client authentication, document signing)

    • Premium (client authentication, email encryption, email signing, document signing)

    • Authentication Only (client authentication)

    Notice

    Product limits configured on the Product Settings page do not apply to products enabled for SAML certificate requests. Custom fields are not supported on SAML certificate request forms. Do not add required custom fields to a client certificate enabled for SAML certificate requests — required custom fields cause the SAML certificate request process to fail. Optional custom fields are not passed through to the SAML certificate request form.

  8. Select Save & Finish.

  9. On the SAML Certificate Requests page, under DigiCert's SP Metadat a, add DigiCert's SP metadata to your IdP using one of the following options:

    • Dynamic URL: add the dynamic URL to your IdP. If DigiCert's SP metadata changes, your IdP updates automatically.

    • Static XML: add the XML-formatted SP metadata to your IdP. If DigiCert's SP metadata changes, update the XML manually in your IdP.

  10. On the SAML Certificate Requests page, under SAML Certificate URL, copy the URL and paste it into a browser. Sign in using your IdP credentials to finalize the connection.

    Notice

    You can also use an IdP-initiated login URL to finalize the connection. Provide your SAML users with this URL or application if you prefer the IdP-initiated flow.

    After completing configuration, share the SAML certificate request URL with your users. They use this URL to sign in and order their client certificates.

Related topics

What's next

SAML certificate request workflow to understand what your users see when they sign in to the SAML certificate requests URL

In deze sectie: