The SAML authentication protocol requires that you manage certificates. There are two usages for certificates: To sign the SAML assertions and to encrypt the assertions. This section gives some considerations related to the management of these certificates.
Certificate for Test environments
For the test environment you can either use purchased certificates (if you already have them), signed certificates by a certifying authority (CA), or you can use self-signed certificates. If you use self-signed certificates it is important that the certificate is created with the following requirements:
•The certificate must be in .P12 or .PFX file format.
•The password for the certificate file, as defined by you when you exported the public and private keys.
•It must include the following information:
▪Common Name or fully-qualified domain name (CN), for example, www.example.com.
▪Organization name (O)
▪Country code (C)
▪City code (L)
oSubject Alternative Name (SAN). For example, DNS name = *mycompany.com
•Give the certificate the maximum expiration date allowed in your organization. (1 or 2 years is recommended).
Because certificates have expiration dates, it is very important that you keep track of the due date. Otherwise, if the certificate expires without renewing it, users will NOT be able to access the web portal using the SAML identity provider using that certificate.
Refer to Issuing self-signed certificates to learn how to create certificates for your test environment.
Certificate for Production environments
In production environments, you cannot use self-signed certificates. Therefore, you need to acquire a certificate from a Certifying Authority (CA), here are some CAs:
Some IT administrators in organizations have their own CA. You will need a signed certificate by the CA defined by your IT administrator.
After obtaining the certificate you can proceed to set the identity provider.