Using Certificates

Follow

Adding certificates

Certificates can be used for the following entities:

  • Service Provider
    • Type SAML2
    • Type OAuth Client
    • WS Federation
  • IdentityProvider
    • Type SAML2
    • Type OAuth 2.0


When Adding certificates, you need to specify the context, the alias and the usage period.

Below is a matrix which certificate types and contexts are available for each type of SP and IDP

Context

SAML:

Contexts on Service Provider

  • Key Signing: Certificate used to sign the Authentication Request to the IDP
  • Trust Signing Certificate used to validate the signature of the Assertion Request
  • Key Encryption:  Certificate used to decrypt the Authentication Request
  • Trust Encryption: Certificate used to encrypt the Assertion Request
  • Key TLS: Server Certificate used for the Service Provider to establish a secure connection using TLS for Artifact Resolution.
  • Trust TLS: ???

Contexts on Identity Provider

  • Trust Signing: Certificate used to validate the signature of the Authentication Request
  • Key Signing: Certificate used to sign the Assertion Request to the IDP
  • Key Encryption: Certificate used to decrypt the Assertion Request
  • Trust TLS: Client Certificate used to establish a connection using TLS to the IDP for Artifact Resolution
  • Key TLS: ???

OAUTH:

Contexts on Service Provider

  • Key Signing: Certificate used to sign the JWT Tokens

Contexts on Identity Provider

  • Key Signing: Certificate used to sign the JWT Tokens in case of Client Authentication
  • Trust TLS: Certificate used to establish a connection using TLS to the IDP
  • Key TLS: ???

WS Federation:

  • Signing: Certificate used to sign the Authentication Request

Certificate Alias

Select the certificate for this context. 

Note: Expired Certificates cannot be selected here.

Usage period

Can be used to further specify the time boundaries on certification usage. 

For example when renewing an encryption certificate, there can be no overlap period. So adjusting these setting allows you to seamlessly move from one certificate to another.

The default values are copied from the Certificate validity period. 

Have more questions? Submit a request

Comments