When running a Policy Server and AdminUI, and configuring Federation
partnership, one might like to know :
1. If you can use INTRA CA issues cert to sign assertions;
2. Is there a limitation in the Policy Server to use a self-signed
certificate to sign assertion ?
3. If using a corporate INTRA CA and use the key + cert pair to sign
SAML, will it be an issue that the 3rd party won't accept the
corporate cert as it is not Externally issued ?
At first glance, you do need a signed certificate to sign
assertion. As such,
1. You won't be able to use a corporate INTRA CA self signed
certificate to sign assertion;
2. There a limitation as to sign assertion, you do need a signed
certificate, not a self-signed one;
3. You can't use the INTRA CA self-signed certificate to sign
So there's a limit. In the AdminUI, to be able to sign an assertion,
the certificate should be set in the Certificate Data Store as Type
"Private Key and Certificate". A self signed certificate will be
inserted automatically as "Trusted Certificate" or "Certificate
Authority" if you select "Use as CA" option. There's no option to
insert a Self-Signed Certificate as Type "Private Key and
You should also note that using a CA signed certificate insure that
the signing partner is really the one it pretends to be.