SAML and X509Certificates

Posted on 2014-08-08
Last Modified: 2014-10-10
Working with a vendor to create a SAML response and I have a request to provide them with an x509 certificate (The public key of the certificate being used to sign the SAML response and all applicable cert chain(s) of the signing cert).

Originally I thought that the x509 format of the SSL key I have been using to secure my website (the SAML response will becoming from a directory of this website) was a sufficient enough key. After speaking with the third party vendor whom supplied me with the key I'm being informed that an SSL key may work but that I may need a code signing certificate instead. I'm not familiar with code signing certificates have mostly dealt with SSL keys.

In the case of creating a SAML response which key type is appropriate?
Question by:dowhatyoudo22
    LVL 28

    Assisted Solution

    I would not suggest using the SSL certificate for the saml response as any issues related to your website SSL automatically impacts your application.

    There is an open opinion on this:
    Q10. I need a certificate for use in the InCommon Federation. What sort of certificate should I use from the InCommon Certificate Service for that purpose?

    That depends. If you are deploying a SAML Identity Provider (IdP) or a SAML Service Provider (SP) in the InCommon Federation, and you need an SSL/TLS certificate for an ordinary browser-facing SAML endpoint, you should use a web server certificate as described in Q1.

    If, on the other hand, you need a public/private key pair for XML Signature and/or XML Encryption, you should use a long-lived self-signed certificate, which is the preferred type of certificate inserted into InCommon metadata.
    Reprinted from

    There is also an opinion a Self signed cert should work just as well:

    In any event using the SSL certificate for your website is not something I would recomnend.
    LVL 28

    Expert Comment


    Did my answer help, or do you need further assistance with this question ?

    Author Comment

    Sorry, I thought I had responded to this a while ago. I had asked if you could provide more information explaining the pros & cons to using the SSL certificate currently being used for my website other than "if there is a problem with the site certificate then we would experience problems with the certificate for the SAML".
    LVL 28

    Accepted Solution

    The long and short of it is, the web server certificate is used in normal web traffic and the key pair may potentially be available to members of your team which creates the potential for compromise.

    There is NO one reason to do it or not to, my recommendation as a best practice where encryption is concerned is to simply separate digital certificates used especially for token signing etc. .

    If you want to proceed with using your website certificate, there is no reason why you cannot, as indicated from the links above there are discussions on this based simply on a matter of preference.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
    The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now