Instructions for how to configure SAML guest requests for your CertCentral account
The SAML Certificate Request feature in CertCentral allows you to connect your identity provider (IdP) with CertCentral so that users can request Client Certificates. Once the connection is configured and the SAML guest request URL created, users that can authenticate through your identity provider are able to make client certificate requests, even if the user does not exist in the CertCentral account.
How to Configure SAML Guest Requests for Your CertCentral Account
In your CertCentral account, in the sidebar menu, click Settings > SAML Certificate Requests.
On the SAML Certificate Requests page, click Edit Federation Settings.
Field Mapping: Verify Your XML Metadata (SAML Assertion) Contains Necessary Attributes
On the Federation Settings page, in the Field Mapping section verify that you are supplying the proper SAML attributes in your SAML XML Metadata.
For SAML Guest Request to be successful, you need to configure the following field mappings on your IdP:
SAML attribute "organization". The "organization" attribute must match an organization in your CertCentral account that has been validated and is active. For example, if the organization you want to use is DigiCert, Inc., then your SAML "organization" attribute must be "DigiCert, Inc." (e.g., <saml:AttributeValue>DigiCert, Inc.</saml:AttributeValue>).
SAML attribute "common_name".
SAML attribute "email". The domain included in the "email" attribute must match a domain in your CertCentral account that has been validated and is active. If the domain has not been validated, the user should receive an email with a link and instructions for validating their email address; this must be completed before they can be issued a client certificate.
Person ID (optional)
SAML attribute "person_id". The Personal ID is only required if NameID is not included in the assertion. The "person_id" attribute must be unique to the user so that the "user" can access their previously placed orders.
These field mappings must be configured on the IdP side so that DigiCert can properly parse the metadata and display the correct information in the certificate request form.
Set Up Your Identity Provider Metadata
On the Federation Settings page, in the Your IDP's Metadata section, do the following:
Add IdP Metadata
Under How will you send data from your IDP?, do one of the following tasks:
XML Metadata Select this option and then manually provide DigiCert with your IdP metadata in XML format. If you use this option, you will need to manually update your IdP metadata if it changes. Use a dynamic URL Select this option and then provide DigiCert with the link to your IdP metadata. If you use this option, your IdP metadata is updated automatically if it changes.
Add Federation Name
Under Federation Name, provide a federation name (friendly name) that will be included in the SP-initiated SAML Guest Request URL that is created (and can be sent to your SAML users) and will become the title of your SP-initiated Guest Request login page.
Note: The federation name must be unique. We recommend using your company name.
Enable Products for SAML Guest Certificate Requests
Under Product Options, select the products you want your SAML guest request users to be able to order once authenticated to a SAML Guest Request. Those which you can enable, if also enabled in your account, are as follows:
Use this certificate to provide client authentication only.
Use this certificate to provide client authentication and document signing*.
Digital Signature Plus
Use this certificate to provide client authentication, email signing, and document signing*.
Use this certificate to provide client authentication, email encryption, email signing, and document signing*.
*Note For programs that support the application of digital signatures and encryption, clients can sign documents and encrypt their valuable data such as documents. For programs that use the Adobe Approved Trust List, please utilize a Document Signing Certificate product.
When you are finished, click Save & Finish.
Add DigiCert's Service Provider (SP) Metadata to Your Identity Providers (IdPs)
On the SAML Certificate Request page, in the DigiCert's SP Metadata section, do one of the following tasks:
Dynamic URL for Copy the dynamic URL provided by DigiCert to our SP metadata and add it to your IdP to help make DigiCert's SP Metadata the SAML Guest Request connection. If you use this option, our SP metadata is updated automatically in your IdP, if your IdP metadata is ever changed in your CertCentral account. Static XML Copy the XML formatted SP metadata provided by DigiCert and add it to your IdP to help make the SAML Guest Request connection. If you use this option, DigiCert's SP metadata will need to be manually updated in your IdP as needed.
Log in and Finalize the SAML Authenticated Guest Request Connection
On the SAML Certificate Request page, in the SAML Guest URL section, copy the URL and paste it into a browser. Then, use your IdP login credentials to authenticate to SAML guest request.
Note: If you prefer, you can use an IdP initiated login URL to log into your CertCentral account instead. However, you will need to provide your users with this IdP initiated URL or application.
Congratulations you have successfully configured SAML Guest URL for your DigiCert CertCentral account.