Cliquez ici pour la version française

SAML X.509 certificates management in the Fédération Éducation-Recherche

SAML Entities (Identity or Service providers) are registered within the federation and are associated to their x509 certificate used to secure communications (encryption and signing of SAML assertions) between them.

The SAML2 specifications do not enforce interpretation or verification of certain informations associated to certificates issued by certification authorities (CA). Indeed, the certificates issued by these authorities may cause problems during configurations steps or trust interoperability issues that would unduly be based on the issuer authority in lieu of the certificate itself. Self-signed certificates facilitate the configuration and maintenance of the technical building blocks (SAML provider running on private network, inter-federation, less renewals…). Confidence in these certificates is that they are collected, verified and associated with their respective SAML entities through the Federation's registry. These informations are then published in the Federation's metadata file which is signed by the operator of the Federation and accessible via a HTTPS URL. This allows the verification of the integrity and the issuer of the metadata file.

  • We strongly recommend using self-signed long life (10 years or more) certificates for SAML entities;
    • A long lifespan avoids frequent renewal actions and the effect of “programmed failure”;
    • Self-signed certificates cause less problems for interoperability with different SAML2 implementations ;
    • It is required to match the hostname of the server with the certificate CN if SAML2 SOAP profile is used;
    • Some SAML2 implementations do not allow the combination of the same certificate for two different entities (ADFS);
  • The key size must be at minimum 2048 bits;
    • However larger key sizes are not advised to avoid messages encryption and signature unnecessary heavy computations;
    • All newly registered SAML entity's certificate must respect this constraint;
  • All expired certificate must be replaced and removed once the roll over is done;
  • If the private key is exposed, the entity's manager must immediately generate a new key and promptly replace the public key of that entity;
    • He must notify the federation operator to make the update as quick as possible;

SAML certificate rollover instructions for IDP and SP administrators

  • federation/en/documentation/generale/certificats-saml.txt
  • Dernière modification : 2022/04/20 12:18
  • de herve.bourgault@renater.fr