Skip to main content

Enable and configure single sign-on with SAML

To streamline the process, we recommend keeping two browser tabs open: one for )DigiCert ONE and another for your Identity Provider (IdP). This setup allows you to easily reference both platforms and complete the configuration without interruptions.

Prerequisites

Before configuring SAML in DigiCert ONE:

  • Have administrator access to your company's IdP service, such as Active Directory, Okta, Salesforce, or other user management service.

  • Make sure authentication from your IdP signs the assertion.

    注意

    Signing SAML response is optional.

Connect DigiCert to your IdP

Use one browser to configure your DigiCert ONE account to recognize your IdP:

  1. Sign in to DigiCert ONE.

  2. Navigate to the Manager menu icon (top-right), select Account.

  3. In the left navigation menu, select Accounts.

  4. On the Accounts page, select the Name of the account.

  5. On the Account details page, navigate to the Sign-in settings for all-account-access users section.

  6. Select the pencil icon next to Single sign-on with SAML.

  7. Copy the SSO URL.

    提示

    This URL will be required in step 8, 9, and 10 of the Connect your IdP to DigiCert instructions.

  8. Open another browser and begin the process below. Only proceed to the next step once you have completed step 16.

  9. Select Upload IdP metadata.

    提示

    Select the metadata file that you created in with step 16 of the Connect your IdP to DigiCert instructions.

  10. Select Save.

  11. Create a user with the same username as the user in your IdP.

    提示

    If the user already exists in DigiCert ONE, update their username to match their user details in your IdP.

Connect your IdP to DigiCert

注意

These instructions are based on Okta. If you are using a different IdP, look for similar fields or refer to your IdP's documentation for guidance.

Use a second browser to configure your IdP to recognize your DigiCert ONE account:

  1. Sign into IdP as an administrator.

  2. In the left hand menu, select Applications.

  3. Click Create App Integration button.

  4. Select SAML 2.0.

  5. Click Create.

  6. Name the Application.

    提示

    Optional: Add a logo.

  7. Select Next.

  8. Paste URL into OKTA under Single sign-on URL & Audience URI (SP Entity ID).

    提示

    See step 6 of the Connect DigiCert to IdP instructions.

  9. Select Next.

  10. Select Finish.

  11. In the SAML Setup section, select View SAML Setup Instructions.

  12. Copy your IdP metadata.

  13. Paste into word processor (like Notepad, etc.)

  14. Save as a .xml file.

  15. Switch back to the Account Manager tab.

    提示

    Proceed with step 8 of the Connect DigiCert to IdP instructions.

  16. Select Directory > People.

  17. Select Add person or identify the user in the list.

    提示

    The DigiCert ONE username must match IdP username.

  18. Select the user.

  19. Click on Assign Application on the user details page.

  20. Assign DigiCert ONE from application list.

    提示

    The user will receive an activation email (Subject line: Single sign-on access for DigiCert ONE). The user will need to follow the instructions in the email to be able to sign in to DigiCert ONE via Okta.

Add single sign-on users

New users

To add new users to DigiCert ONE accounts with SSO, the assigned username in DigiCert ONE must match that of the IdP username.

注意

  • When Standard Sign-on is disabled, only the SAML 2.0 username is active.

  • When Standard sign-on is enabled, the DigiCert ONE and IdP usernames must be kept identical.

  • DigiCert ONE currently does not support auto-creation/registration of users via the IdP.

Existing users

  • Usernames: For existing DigiCert ONE users, the username is tied to the Standard Sign-on (even if standard sign-on is disabled), prior to enabling SSO. In the Edit user details, a new field SAML 2.0 SS0 Username appears. By default, it takes the DigiCert ONE username. Modify the username here to match with the IdP, if required.

    SAML.png
  • Notification: Existing user receives an email on SSO activation notifying them how to log in.

For Azure AD from another source

Users need to modify their SAML configuration in Azure to ensure the assertion signed. To do this:

  • Open the SAML configuration.

  • Click Edit beside SAML Signing Certificate.

  • Select Sign SAML assertion beside Signing Option, and click Save.

    注意

    Signing SAML response is optional.

    Azure_SAML.png

Two-Factor Authentication and SSO with SAML

You will be prompted to enter an OTP when signing in even if you have already provided an OTP to your identity provider (IdP).

What's next

After adding the DigiCert metadata to your IDP, sign in and finalize the single sign-on to DigiCert ONE connection.

DigiCert ONE sends existing users in your account the Single sign-on access to DigiCert ONE email. The email lets them know you enabled SSO for their account. To access the SSO sign-in page, they need to select Sign in to DigiCert ONE. They will use the SSO URL to sign in to their account.

出版日期: