Instructions for how to configure SAML guest requests for your CertCentral account

The SAML Certificate Request feature in CertCentral allows you to connect your identity provider (IdP) with CertCentral so that users can request Client Certificates. Once the connection is configured and the SAML guest request URL created, users that can authenticate through your identity provider are able to make client certificate requests, even if the user does not exist in the CertCentral account.

How to Configure SAML Guest Requests for Your CertCentral Account

  1. In your CertCentral account, in the sidebar menu, click Settings > SAML Certificate Requests.

    CertCentral SAML Guest Requests

  2. On the SAML Certificate Requests page, click Edit Federation Settings.

    CertCentral SAML Guest Requests

  3. Field Mapping: Verify Your XML Metadata (SAML Assertion) Contains Necessary Attributes

    On the Federation Settings page, in the Field Mapping section verify that you are supplying the proper SAML attributes in your SAML XML Metadata.

    For SAML Guest Request to be successful, you need to configure the following field mappings on your IdP:

    • Organization

      SAML attribute "organization". The "organization" attribute must match an organization in your CertCentral account that has been validated and is active. For example, if the organization you want to use is DigiCert, Inc., then your SAML "organization" attribute must be "DigiCert, Inc." (e.g., <saml:AttributeValue>DigiCert, Inc.</saml:AttributeValue>).

    • Common Name

      SAML attribute "common_name".

    • Email Address

      SAML attribute "email". The domain included in the "email" attribute must match a domain in your CertCentral account that has been validated and is active. If the domain has not been validated, the user should receive an email with a link and instructions for validating their email address; this must be completed before they can be issued a client certificate.

    • Person ID (optional)

      SAML attribute "person_id". The Personal ID is only required if NameID is not included in the assertion. The "person_id" attribute must be unique to the user so that the "user" can access their previously placed orders.

    These field mappings must be configured on the IdP side so that DigiCert can properly parse the metadata and display the correct information in the certificate request form.

    CertCentral SAML Guest Requests

    Example Assertion:

    <saml:AttributeStatement>
    <saml:Attribute Name="organization">
    <saml:AttributeValue>Example Organization</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="common_name">
    <saml:AttributeValue>Jane Doe</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="email">
    <saml:AttributeValue>j.doe@bprd.darkhorse</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="person_id">
    <saml:AttributeValue>455c486547814cf1bcb7dcd9da91f8f6</saml:AttributeValue>
    </saml:Attribute>
    </saml:AttributeStatement>
  4. Set Up Your Identity Provider Metadata

    On the Federation Settings page, in the Your IDP's Metadata section, do the following:

    1. Add IdP Metadata

      Under How will you send data from your IDP?, do one of the following tasks:

      XML Metadata Select this option and then manually provide DigiCert with your IdP metadata in XML format.
      If you use this option, you will need to manually update your IdP metadata if it changes.

      CertCentral SAML Guest Requests

      Use a dynamic URL Select this option and then provide DigiCert with the link to your IdP metadata.
      If you use this option, your IdP metadata is updated automatically if it changes.

      CertCentral SAML Guest Requests

    2. Add Federation Name

      Under Federation Name, provide a federation name (friendly name) that will be included in the SP-initiated SAML Guest Request URL that is created (and can be sent to your SAML users) and will become the title of your SP-initiated Guest Request login page.

      Note: The federation name must be unique. We recommend using your company name.

      CertCentral SAML Guest Requests

    3. Enable Products for SAML Guest Certificate Requests

      Under Product Options, select the products you want your SAML guest request users to be able to order once authenticated to a SAML Guest Request. Those which you can enable, if also enabled in your account, are as follows:

      • Authentication Only

        Use this certificate to provide client authentication only.

      • Authentication Plus

        Use this certificate to provide client authentication and document signing*.

      • Digital Signature Plus

        Use this certificate to provide client authentication, email signing, and document signing*.

      • Premium

        Use this certificate to provide client authentication, email encryption, email signing, and document signing*.

      *Note For programs that support the application of digital signatures and encryption, clients can sign documents and encrypt their valuable data such as documents. For programs that use the Adobe Approved Trust List, please utilize a Document Signing Certificate product.

      CertCentral SAML Guest Requests

    4. When you are finished, click Save & Finish.

  5. Add DigiCert's Service Provider (SP) Metadata to Your Identity Providers (IdPs)

    On the SAML Certificate Request page, in the DigiCert's SP Metadata section, do one of the following tasks:

    Dynamic URL for Copy the dynamic URL provided by DigiCert to our SP metadata and add it to your IdP to help make
    DigiCert's SP Metadata the SAML Guest Request connection.
    If you use this option, our SP metadata is updated automatically in your IdP, if your IdP metadata
    is ever changed in your CertCentral account.
     
    Static XML Copy the XML formatted SP metadata provided by DigiCert and add it to your IdP to help make the SAML Guest
    Request connection. If you use this option, DigiCert's SP metadata will need to be manually updated in your IdP
    as needed.
     

    CertCentral SAML Guest Requests

  6. Log in and Finalize the SAML Authenticated Guest Request Connection

    On the SAML Certificate Request page, in the SAML Guest URL section, copy the URL and paste it into a browser. Then, use your IdP login credentials to authenticate to SAML guest request.

    Note: If you prefer, you can use an IdP initiated login URL to log into your CertCentral account instead. However, you will need to provide your users with this IdP initiated URL or application.

    CertCentral SAML Guest Requests

  7. Congratulations you have successfully configured SAML Guest URL for your DigiCert CertCentral account.

    CertCentral SAML Guest Requests