Certificates and Keys for Service Providers and Identity Providers for the IDR SSO Agent

Public key certificates and private keys help secure single sign-on (SSO) transactions carried out between an identity router and external entities including identity providers (IdPs) and service providers (SPs). An IdP asserts that a user is authenticated in that IdP environment, for example, using an identity source known to the IdP. SPs such as protected applications rely on assertions to authorize access to the application. Within SSO transactions, senders use a private key to sign identity requests or identity assertions. Recipients validate those signed requests or assertions using a public key contained in a corresponding certificate. You use the Cloud Administration Console to create connections between IdPs and SPs in an IDR SSO Agent deployment. You use those procedures to load private keys and corresponding certificates into IdPs and SPs.

When you connect an IdP and SP, you upload a certificate and a private key. You can use your own public key infrastructure to issue keys and certificates. If the IdP or SP already has certificates or keys installed on their endpoints, you can upload one of those keys or certificates into the Cloud Administration Console. If certificates are not available, you can use the Cloud Administration Console to generate a certificate and private key for the connection you are creating.

As an example, a SAML connection to an IdP handles IdP requests signed by the SP and assertions signed by the IdP. This requires the following keys and certificates:

  • A private key on the SP to sign requests and the corresponding certificate on the IdP to validate the signed requests.
  • A private key on the IdP to sign assertions and the corresponding certificate on the SP to validate the signed assertions.

Note: SecurID requires version 3 certificates and generates only version 3 certificates in certificate bundles. The Cloud Administration Console does not check the certificate version during upload. If you upload a certificate that is not version 3, the identity router may not function properly. If you suspect this has occurred, obtain and upload a version 3 certificate. If you cannot obtain a version 3 certificate, use the Cloud Administration Console to generate a certificate bundle and upload the certificate from the bundle.

As mentioned, the IdP may already have a private signing key and certificate for signing assertions for other consumers. If so, you can upload that certificate to the Cloud Administration Console for validating assertions. If not, you can generate a private key and certificate to protect the connection.

A certificate bundle zip file contains:
File Description

cert.pem

The certificate in PEM-encoded format. This file contains the public key. A certificate is loaded into an IdP to validate signed identity requests or into an SP to validate signed identity assertions.

certsign.req

The certificate signing request (CSR) to send to your certificate authority (CA) requesting an identity certificate that has been digitally signed with the private key of the CA. This is not commonly used.

private.key

The private key file is loaded into an SP to sign identity requests or into an IdP to sign identity assertions.

public.key

Not used.

For IdP and SP connections you may generally use the certificate (cert.pem) file right from the zip file. However, some environments may require certificates to be signed by a trusted certificate authority. In this case you can send the certsign.req file to a certificate authority to be signed before uploading it to the appropriate endpoint.