Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 366
  • Last Modified:

SAML and X509Certificates

Working with a vendor to create a SAML response and I have a request to provide them with an x509 certificate (The public key of the certificate being used to sign the SAML response and all applicable cert chain(s) of the signing cert).

Originally I thought that the x509 format of the SSL key I have been using to secure my website (the SAML response will becoming from a directory of this website) was a sufficient enough key. After speaking with the third party vendor whom supplied me with the key I'm being informed that an SSL key may work but that I may need a code signing certificate instead. I'm not familiar with code signing certificates have mostly dealt with SSL keys.

In the case of creating a SAML response which key type is appropriate?
  • 3
2 Solutions
I would not suggest using the SSL certificate for the saml response as any issues related to your website SSL automatically impacts your application.

There is an open opinion on this:
Q10. I need a certificate for use in the InCommon Federation. What sort of certificate should I use from the InCommon Certificate Service for that purpose?

That depends. If you are deploying a SAML Identity Provider (IdP) or a SAML Service Provider (SP) in the InCommon Federation, and you need an SSL/TLS certificate for an ordinary browser-facing SAML endpoint, you should use a web server certificate as described in Q1.

If, on the other hand, you need a public/private key pair for XML Signature and/or XML Encryption, you should use a long-lived self-signed certificate, which is the preferred type of certificate inserted into InCommon metadata.
Reprinted from

There is also an opinion a Self signed cert should work just as well:

In any event using the SSL certificate for your website is not something I would recomnend.

Did my answer help, or do you need further assistance with this question ?
dowhatyoudo22Author Commented:
Sorry, I thought I had responded to this a while ago. I had asked if you could provide more information explaining the pros & cons to using the SSL certificate currently being used for my website other than "if there is a problem with the site certificate then we would experience problems with the certificate for the SAML".
The long and short of it is, the web server certificate is used in normal web traffic and the key pair may potentially be available to members of your team which creates the potential for compromise.

There is NO one reason to do it or not to, my recommendation as a best practice where encryption is concerned is to simply separate digital certificates used especially for token signing etc. .

If you want to proceed with using your website certificate, there is no reason why you cannot, as indicated from the links above there are discussions on this based simply on a matter of preference.

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now