This article provides guidance to application owners on obtaining and maintaining SAML Signing and Encryption Certificates for their application.
Overview of SAML Signing and Encryption
SAML Signing and Encryption Certificates provide additional security during HarvardKey Authentication for applications that use the SAML authentication protocol. SAML signing and encryption uses public keys, or certificates, to verify data sent between the Service Provider (SP) and Harvard Identity Provider (IdP).
SAML certificates are distinct from SSL (TLS) certificates, which apply to the application’s browser and are configured and maintained by the server. Application owners are responsible for acquiring SAML certificates for their application and updating them before they expire. If the certificate expires while a registration is still active, communication between Harvard IdP and SP will be interrupted.
Harvard IdP will activate any certificates associated with your application during the authentication process. A simplified version of the certificate functions is provided below:
- Signing certificate: Harvard IdP uses the signing certificate to verify the signature sent by the SP in their authentication request.
- Encryption certificate: Harvard IdP uses the encryption certificate to conceal the content in the return response (assertion) to the SP.
To reduce the burden on certificate maintenance, Harvard IdP recommends acquiring long-term self-signed certificates whenever possible, preferably with a minimum expiration date of three years, consistent with InCommon Federation best practices.
Acquire a SAML Signing / Encryption Certificate
The steps for acquiring a self-signed certificate are outlined below:
Before applying for integration with HarvardKey
- Generate a secure private key (never shared) and a public key certificate to be shared with Harvard IdP during authentication. For detailed information on generating a private key- public key pairing, view this article on key generation.
- Generate the SP metadata file containing the public key to be shared with Harvard IdP. Detailed instructions are located on the IAM SAML Integration page in the sections “Generate Your SP’s Metadata File” and “Certificates”. If you are working with a vendor, they may be able to generate the file for you.
When applying for integration with HarvardKey
Renew a SAML Certificate
- Your application’s entityID
- Your new SP metadata file. The metadata file should contain the new key(s) generated using the above instructions.
Plan to open a ticket at least two weeks before your certificate expires so you are not at risk of disabling your application.
Related Resources
- What are SAML Certificates?
- What are Signing and Encryption Keys?
- Selecting an Authentication Protocol