We're currently developing an SSL solution using SAML 2.0, and until now, have been using self signed certificates for signing the XML requests.
However, as we move to production, we want to use a certificate from a certificate authority. But I'm not really sure what type of certificate to purchase as they are all website centric. For example, single domain, wildcard domain, etc.
For example, have been looking at these: https://www.123-reg.co.uk/ssl-certificates/
I'm fairly knowledgeable when it comes to purchasing SSL certificates for a website. However, as the certificate is just going to be use for signing SAML requests, does it matter which type is purchased? Surely whether it supports a single domain or wildcard domain is irrelevant?
To set up SSO using the SAML instance where Google is the service provider (SP), you need to generate a set of public and private keys and an X. 509 certificate that contains the public key. The public keys and certificates must be generated with either the RSA or DSA algorithm and registered with Google.
SAML signing and encryption uses public keys, or certificates, to verify data sent between the Service Provider (SP) and Harvard Identity Provider (IdP). SAML certificates are distinct from SSL (TSL) certificates, which apply to the application's browser and are configured and maintained by the server.
To use Hub as the Identity Provider with SAML, you must encrypt the connection between Hub and a Service Provider. You need to generate an SSL key and a certificate, pack them in a PKCS #12 format file, and upload it to Hub.
The SAML signing certificate is used to sign SAML requests, responses, and assertions from the service to relying applications such as WebEx or Google Apps. The Workspace ONE Access service automatically creates a self-signed certificate for SAML signing to handle the signing and encryption keys.
Certificates in SAML are only used as a convenient way to handle the signing and encryption keys. The keys are usually either exchanged through metadata, or by some secure transfer of the certificate to the parties involved in the SAML exchange. Thus, there is no need to be able to validate the certificates with a public authority.
This is also stated in the SAML metadata specification (line 697)
This specification takes no position on the allowable or suggested content of this element, nor on its meaning to a relying partyAs a concrete example, no implications of including an X.509 certificate by value or reference are to be assumed. Its validity period, extensions, revocation status, and other relevant content may or may not be enforced, at the discretion of the relying party
So I would just continue using a self signed certificate.
But, if you want to buy a certificate it should have "digital signature" and "key encipherment" usages. Normal SSL certificates (at least those I've checked) do contain those usages.
The "digital signature" usage should be self explanatory. The "key encipherment" is due to the fact that the key in the certificate is not used to directly encrypt the data. The data is encrypted by a symmetric key algorithm suitable for larger data sized. That key is then encrypted with the RSA key (RSA is suitable for smaller data, such as an encryption key). Thus, the RSA key is used to encrypt/encipher a key.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With