reg: saml certificate


Article ID: 209969


Updated On:


SITEMINDER CA Single Sign On Federation (SiteMinder)



When running a Policy Server and AdminUI, and configuring Federation
partnership, one might like to know :

  1. If you can use INTRA CA issues cert to sign assertions;
  2. Is there a limitation in the Policy Server to use a self-signed
     certificate to sign assertion ?
  3. If using a corporate INTRA CA and use the key + cert pair to sign
     SAML, will it be an issue that the 3rd party won't accept the
     corporate cert as it is not Externally issued ?




At first glance, you do need a signed certificate to sign
assertion. As such,

  1. You won't be able to use a corporate INTRA CA self signed
     certificate to sign assertion;
  2. There a limitation as to sign assertion, you do need a signed
     certificate, not a self-signed one;
  3. You can't use the INTRA CA self-signed certificate to sign

So there's a limit. In the AdminUI, to be able to sign an assertion,
the certificate should be set in the Certificate Data Store as Type
"Private Key and Certificate". A self signed certificate will be
inserted automatically as "Trusted Certificate" or "Certificate
Authority" if you select "Use as CA" option. There's no option to
insert a Self-Signed Certificate as Type "Private Key and

You should also note that using a CA signed certificate insure that
the signing partner is really the one it pretends to be.