HOME / GET STARTED / HARVARDKEY APPLICATION INTEGRATION / GUIDES /

SAML Signing and Encryption Certificates

This article provides guidance to application owners on obtaining and maintaining SAML Signing and Encryption Certificates for their application. 

 

Overview of SAML Signing and Encryption

SAML Signing and Encryption Certificates provide additional security during HarvardKey Authentication for applications that use the SAML authentication protocol. SAML signing and encryption uses public keys, or certificates, to verify data sent between the Service Provider (SP) and Harvard Identity Provider (IdP).

SAML certificates are distinct from SSL (TLS) certificates, which apply to the application’s browser and are configured and maintained by the server. Application owners are responsible for acquiring SAML certificates for their application and updating them before they expire. If the certificate expires while a registration is still active, communication between Harvard IdP and SP will be interrupted. 

Harvard IdP will activate any certificates associated with your application during the authentication process. A simplified version of the certificate functions is provided below: 

  1. Signing certificate: Harvard IdP uses the signing certificate to verify the signature sent by the SP in their authentication request. 
  2. Encryption certificate: Harvard IdP uses the encryption certificate to conceal the content in the return response (assertion) to the SP.

To reduce the burden on certificate maintenance, Harvard IdP recommends acquiring long-term self-signed certificates whenever possible, preferably with a minimum expiration date of three years, consistent with InCommon Federation best practices. 

Acquire a SAML Signing / Encryption Certificate 

The steps for acquiring a self-signed certificate are outlined below: 

Before applying for integration with HarvardKey

  1. Generate a secure private key (never shared) and a public key certificate to be shared with Harvard IdP during authentication. For detailed information on generating a private key- public key pairing, view this article on key generation
  2. Generate the SP metadata file containing the public key to be shared with Harvard IdP. Detailed instructions are located on the IAM SAML Integration page in the sections “Generate Your SP’s Metadata File” and “Certificates”. If you are working with a vendor, they may be able to generate the file for you.

When applying for integration with HarvardKey

Upload a copy of your SP’s metadata file along with the completed HarvardKey Integration Registration form for your application. We strongly recommend that all SAML applications integrated with HarvardKey Authentication have SAML certificates; otherwise, application owners must provide justification for exception on the form. 

 

Renew a SAML Certificate

IAM will work with you to renew your application’s SAML certificate(s) before they expire. To begin, please send an email to iam_help@harvard.edu, which will generate a ticket in ServiceNow. In the email, please provide the following information:
  • Your application’s entityID
  • Your new SP metadata file. The metadata file should contain the new key(s) generated using the above instructions.

Plan to open a ticket at least two weeks before your certificate expires so you are not at risk of disabling your application. 

Related Resources