Trusted Certificate Authorities for HFED or Trusted Headers Applications

When applications are added to SecurID using either the HTTP Federation Proxy (HFED) or trusted headers method, the identity routers connect directly to the application web servers. If SSL is enabled for these applications, the application web server must have a valid certificate signed by a certificate authority (CA) that the identity routers trust.

The identity routers automatically trust valid certificates signed by:

However, some companies use an internal or lesser-known CA to sign certificates used for their application web servers. To establish trust between the identity router and an internal CA, you can upload one or more CA certificates using the Cloud Administration Console.

The identity routers require that an SSL certificate is valid. Valid SSL certificates contain:

  • A signature from a trusted CA
  • A name that matches the web server's hostname
  • An expiration date that has not passed