Considerations about certificates for SAML authentication

<< Click to Display Table of Contents >>

Navigation:  Bizagi Studio Collaboration Services > Enterprise subscription > Accessing Portals and Applications > How to manage identity providers > SAML 2.0 Examples >

Considerations about certificates for SAML authentication


The SAML authentication protocol requires that you manage certificates. There are two usages for certificates: To sign the SAML assertions and to encrypt the assertions. This section gives some considerations related to the management of these certificates.


Certificate for Test environments

For the test environment you can either use purchased certificates (if you already have them), signed certificates by a certifying authority (CA), or you can use self-signed certificates. If you use self-signed certificates it is important that the certificate is created with the following requirements:


The certificate must be in .P12 or .PFX  file format.

The password for the certificate file, as defined by you when you exported the public and private keys.

It must include the following information:

oSubject parameters

Common Name or fully-qualified domain name (CN), for example,

Organization name (O)

Country code (C)

City code (L)

oSubject Alternative Name (SAN). For example, DNS name = *

Give the certificate the maximum expiration date allowed in your organization. (1 or 2 years is recommended).



Because certificates have expiration dates, it is very important that you keep track of the due date. Otherwise, if the certificate expires without renewing it, users will NOT be able to access the web portal using the SAML identity provider using that certificate.


Refer to Issuing self-signed certificates to learn how to create certificates for your test environment.


Certificate for Production environments

In production environments, you cannot use self-signed certificates. Therefore, you need to acquire a certificate from a Certifying Authority (CA), here are some CAs:









Some IT administrators in organizations have their own CA. You will need a signed certificate by the CA defined by your IT administrator.


After obtaining the certificate you can proceed to set the identity provider.