...
SAML Certificates in Federation Metadata
This article discusses the use of X.509 certificates in Federation metadata. It has security implications so please read it carefully.
...
| Tip | ||
|---|---|---|
| ||
Before generating a new private signing key for your IdP, read the IdP Key Handling topic. |
Contents
| Table of Contents | ||
|---|---|---|
|
Background
In the base SAML metadata specification [1], a certificate signing authority (CA) has no assumed relevance to the trust model that secures the interactions among a federation's participants. In fact, certificates signed by a CA are discouraged since they can create interoperability issues in certain situations and lead to configurations that mistakenly establish trust based on the certificate signer. Allowing self-signed certificates simplifies the work of participants who may be required to join multiple federations, or who support local systems that are not registered in the Federation.
...