0

I'm a Service Provider, and the SME for the Identity Provider has specified that they require that the SP provide them a certificate different from the standard server certificate.

Every SSO Integration I've accomplished so far has had the IdP provide me with the certificate.

Is a SP able create and provide a separate certificate to the IdP? Currently, the IdP SME is advising that unless I can provide this, he won't enable Solicited SSO(SP-Initiated SSO).

Ryan G
  • 380
  • 1
  • 11
  • I think you're mixing up the certificate and the actual signature. As an SP, you should use a long-lived self-signed certificate as the public key to sign your SAML AuthnRequests. If you're doing this with SimpleSAMLphp as identified in your tags, you should look at the option 'redirect.sign' in your config/authsources.php file. – Kellen Murphy Sep 04 '19 at 14:28
  • @KellenMurphy Thank you Kellen, I believe you are correct. I've clarified my question.I suppose I'm unsure how to create such a certificate and if the redirect.sign parameter is what would be applicable. – Ryan G Sep 04 '19 at 18:42
  • You can use OpenSSL to generate the certificate (see [this](https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl) SO question). `redirect.sign` would need to be true and you need to specify the certificate to use. See: https://stackoverflow.com/questions/32406699/how-do-i-embed-a-signature-within-an-authnrequest-for-saml-2-0-sso-in-php – Kellen Murphy Sep 04 '19 at 19:36

0 Answers0