SAML Signing Certificates

Security is one of the most important concerns when using an SSO framework like SAML. Ensure that messages are actually coming from the expected identity and service provider rather than a malicious third party.

To ensure the identity of message originators, signing certificates are used within messages. These certificates are stored in both the identity and service providers at the time of configuration. In addition, some data might be optionally encrypted.

To use Cherwell SAML SSO, gather a number of standard x.509 certificates for use by the Cherwell Server. A self-signed certificate can be used temporarily during initial testing. For production, use a publicly trusted X.509 certificate from a public third-party certification authority (CA).

Identity Provider Token Signing and Encryption Certificates

The identity provider uses a certificate to verify the source of its communications to CSM (referred to as a token-signing certificate). The identity provider’s public certificate needs to be imported into CSM. The easiest approach is to import the metadata provided by the identity provider as a file into CSM. The metadata includes configuration information as well as certificates. If configuring the identity provider manually, copy and import its public certificate manually into Cherwell. In addition to the signing certificate, the identity provider may optionally also use a separate token encryption certificate. To import this certificate into CSM, import the identity provider’s metadata file.

Service Provider Token Signing Certificate

Like the identity provider, CSM (acting as a service provider) must use a token signing certificate, and the public certificate must be imported into the identity provider. For this purpose, both a public certificate (typically with a .cer file extension) and matching private key certificate (typically with a .pfx file extension) must be created. The private key certificate must be imported into the CSM using the Administrator SAML settings. The public certificate needs to be imported into the identity provider. The easiest way to do this is to export the CSM settings as metadata, and then import the metadata (which includes the certificate) into the identity provider.

Note: Network IT staff normally manage signing certificates and should be knowledgeable about the procedure for obtaining new certificates. Certificates must be obtained from trusted certificate authorities (such as VeriSign, Thawte, GoDaddy, and more).