Create and manage SAML signing certificates

SAML signing certificates contain a key pair that you associate with a SAML application. The private key signs the SAML responses that Identity as a Service returns to a SAML service provider for SAML authentication. You can export the signing certificate and import it into the SAML service provider to validate the signature that the SAML assertion returns.

Identity as a Service provides a default self-signed certificate. You can use this certificate or create your own. You can also replace a self-signed certificate with a certificate signed by a CA either by importing a signing key or with a certificate signing request (CSR). You need to export the certificate to integrate Identity as a Service with a SAML application.

Note: If you enable notifications (see Manage entitlement usage notifications), users receive an email when their certificates are soon to expire or are no longer valid.

Export a certificate

Export a SAML signing certificate

1. Log in to your Identity as a Service administrator account.

1. Click > Security > Applications. The Applications List page appears.

2. Under SAML Cloud Integrations, click SAML Signing Certificates. The SAML Signing Certificates page appears.

3. Click next to the certificate to export the certificate you want to import into your SAML service provider application. The Export Certificate dialog box appears.

a. If the certificate has been issued by a CA, do one of the following:

– Click Certificate to export the self-signed certificate.

– Click Root CA Certificate to export a certificate issued from a CA.

– Click Certificate Chain to export the SAML signing certificate and its CA certificates.

b. Click Export.

Copy a SAML signing certificate

1. Log in to your Identity as a Service administrator account.

2. Click > Security > Applications. The Applications List page appears.

3. Under SAML Cloud Integrations, click SAML Signing Certificates. The SAML Signing Certificates page appears.

4. Click next to the certificate to copy it to the clipboard.

5. Open a text editor, such as Notepad, and paste the contents of the certificate into the text file.

6. Save the file.

Create a signing certificate

Create or import a signing certificate

Identity as a Service provides a default self-signed certificate. You can also create your own certificate. This might be necessary if your certificate is about to expire or you want to create a certificate and replace the self-signed certificate with a certificate signed by a Certificate Authority (CA).

1. Log in to your Identity as a Service administrator account.

2. Click > Security > Applications. The Applications List page appears.

3. Under SAML Cloud Integrations, click SAML Signing Certificates. The SAML Signing Certificates page appears.

4. Click .

5. Do one of the following:

Create a SAML signing certificate

a. Select Create to create a new signing certificate. The Create Signing Certificate dialog box appears.

b. Enter a Name for the certificate.

c. Select the expiry date from the pop-up calendar and click OK.

d. Click Add. The certificate appears on the Signing Certificates page.

Import a SAML signing certificate

a. Select Import to create a new signing certificate. The Create Signing Certificate dialog box appears.

b. Enter a Name for the certificate.

c. Clickand browse to select your signing certificate file.

d. Click Import.

Replace a self-signed certificate with a CA signed certificate using a Certificate Signing Request (CSR)

You can create a PKCS#10 request, which is a standard file that a CA uses to issue certificates. It contains a public key that has been signed by the corresponding private key. To do this, you must generate a CSR and then process the CSR response.

Generate a CSR

1. Log in to your Identity as a Service administrator account.

2. Click > Security > Applications. The Applications List page appears.

3. Under SAML Cloud Integrations, click Signing Certificates. The Signing Certificates page appears.

4. On the Signing Certificates pages, click next to the certificate.

5. Select Generate CSR. The Generate CSR dialog box appears.

6. Enter the values for any of the following attributes for the Distinguished Name (DN). The required values depend on the CA you are going to use to issue your CA-signed certificate:

Note: Do not enter values with o=.

● Common Name (CN)—Enter a name that identifies your certificate. This field is mandatory.

● Optionally, enter the following:

– Organization Unit (OU)—Enter the name of the organization unit handling the certificate.

– Organization (O)—Enter the legal name of your organization.

– Locality (L)—Enter the city location of your organization.

– State/Province (ST)—Enter of the full state, province, or territory name of your organization (do not use abbreviations).

– Country (C)—Enter the two-letter ISO code for the country location of your organization.

7. Click Next. You are prompted to add Subject Alt Names.

8. Optional. If your certificate requires Subject Alt Names, do the following to include additional sites protected by the certificate:

a. Click Add.

b. Move the toggle switch to DNS Name or IP Address.

c. Enter the DNS Name or IP Address.

d. Repeat these steps to add more Subject Alt Names.

9. Click Next. The Key Type and Signing Algorithm page appears.

a. Select the Key Type from the drop-down list.

b. Select the Signing Algorithm from the drop-down list.

c. Optional. Enter the Challenge Password.

d. Click Next.

10. Review the Summary and then click Generate CSR to generate the CSR to export the CSR.

Process the CSR Response

Once, the CA processes the CSR, you need process the CSR response in Identity as a Service.

1. Log in to your Identity as a Service administrator account.

2. Click > Security > Applications. The Applications List page appears.

3. Under SAML Cloud Integrations, click Signing Certificate. The Signing Certificates page appears.

4. On the Signing Certificates pages, click next to the certificate.

5. Select Process CSR Response from the drop-down list. The Process CSR Response dialog box appears.

6. Click and browse to upload the CSR Response file.

Note: Click and browse to upload more CSR Response files.

7. Click and browse to upload Additional Certificates.

8. Click Submit.

Create SAML signing certificates

Export a certificate

Copy a SAML signing certificate

Create a signing certificate

Create or import a signing certificate

Replace a self-signed certificate with a CA signed certificate using a Certificate Signing Request (CSR)