Skip to main content
Version: Early Access

SSO Certificates

What is SSO Certificate?

The Digital.ai Identity Service supports a Signature Validation feature that uses a Signing Certificate to validate any responses from the IdP. We refer to this Signing Certificate as the SSO Certificate. It can be included in the Identity Provider config in the Platform Console.

note

Customers will very rarely update a Signing Certificate directly. Usually, they will provide a well-known endpoint and the Platform Console will pull the Signing Certificate from there directly when creating the Identity Provider.

Add a Signing Certificate to an IdP

There are two different ways that a Signing Certificate can be provided to an IdP:

  1. Add the certificate directly to the IdP.
  2. Add a certificate URL that can be called to get the certificate.

Using option 2 is the preferred method because it prevents the user from needing to update the certificate in the Platform console when it expires.

Open ID Connect (OIDC)

For an OIDC Identity Provider: The field for the SSO certificate is Public Key Signature Verifier Key. This only shows up if Validate Signature is checked.

Add certificate directly

  1. Navigate to the Advanced Config section of the Identity Provider config.
  2. Check the Validate Signature checkbox.
  3. Under the Public Key Signature Verifier Keys field, add the public key of the Signing certificate in PEM format.
  4. Under the Public Key Signature Verifier Key ID field, add the ID of the validating public key given in the previous step.

Validate Signature

Add Certificate URL

  1. Navigate to the Advanced Config section of the identitity provider config.
  2. Check the Validate Signature checkbox.
  3. Check the Use JWKS URL checkbox.
  4. Set the JWKS URL to the URL where the identity provider’s keys in JWK format are stored.

add certificate url oidc

Security Assertion Markup Language (SAML)

For a SAML Identity Provider: The field for the SSO certificate is Signing Certificate. This only shows up if Validate Signature is checked.

Add certificate directly

To add an SSO Certificate to a SAML Identity Provider, follow the following steps.

  1. Navigate to the Advanced Config section of the Identity Provider config.
  2. Check the Validate Signature checkbox.
  3. Add your signing certificate under the Signing Certificate field.

add certificate directly saml

Add Certificate URL

To add a certificate URL to a SAML Identity Provider, follow the following steps.

  1. Navigate to the Advanced Config section of the Identity Provider config.
  2. Check the Validate Signature checkbox.
  3. Check the Use Metadata Descriptor URL checkbox.
  4. Add the certificate URL under the Metadata Descriptor URL field.

add certificate url saml

How to Manage Expired SSO Certificates

note

This section only applies to SAML Identity Providers who have added the Signing Certificate directly from the Identity Provider (Option 1 above). If you are using a certificate URL, the certificate will be controlled by your organization and it is upto your organization to update it.

The Platform Console runs a report daily that checks for expiring certificates, and will email account administrators when a certificate is close to expiring. An email will be sent under the following conditions:

  • An Identity Provider has an SSO certificate expiring in the next 21 days.

  • An Identity Provider has an SSO certificate that expired within the past 10 days.

This email will be sent to all account-admin users on the Identity Provider’s account.

Sample Email:

SSO Certificate is expiring in the next 21 days:

sso certificate expiry in 21 days

SSO Certificate has expired:

sso certificate has expired

Last updated on