0

We are implementing SAML/OIDC-based SSO across our enterprise and wanted to get a feel for best practices when it comes to using Personal/Signer Certificates within our IdP.

Historically we've utilised the personal certificate that came with our IdP, but upon reading their documentation, it seems as though they recommend against that and state that is there for demonstration purposes only.

I'm looking for feedback from SMEs on whether:

  1. Do you utilise self-signed certificates?
  2. Or, have you traditionally gone to CAs for your signer certificates?
  3. If "yes" to #2, what is your CA of choice for signer certificates?
  4. If "yes" to #1, what is the length of validity you typically use for your self-signed certificates?

Any feedback on this would be greatly appreciated.

user1913559
  • 3
  • 1
  • You should not use a sample certificate that came with the Idp, but in my opinion self-signed is fine https://security.stackexchange.com/questions/215562/why-use-a-ca-signed-key-pair-to-encrypt-saml2-assertions/215583#215583 – explunit Aug 10 '22 at 19:59

1 Answers1

0

You've not said what IdP you're using, though it probably doesn't matter too much. It makes sense not to use a demo cert though, esp if its part of the distribution. This could allow anyone who can download it to forge assertions for you.

Either self-signed or "self-chained"/non-public certs are fine for IdP: these certs wont ever be used by a browser, they're just for signing/encrypting assertions (iirc Splunk's SP used to require a public ca chain or adding your CA to the trust store - most don't as the public key is part of the metadata/initial setup and as long as decryption / signature verification works its all good).

Ongoing care and feeding of the IdP in relation to the cert you're using could help decide. As you can see in the table, self-signed is probably the easiest if you're self-hosting your IdP.

Task Self Signed Own CA Public CA
Initial Setup Very Easy Complicated [1] Easy
Cert properties Unlimited Unlimited Limited
Setting up SPs Easy Easy Easy
Renewing cert Very Easy Easy Complicated [2]

[1] Setting up own CA: You'll probably want an offline CA with a long life, ideally this signs an online intermediate and then the intermediate signs your leaf/IdP cert. Not that hard, but much more work than a self-signed cert! Another possible benefit here is control, you can be more flexible if needed.

[2] For self-signed and internal CA you can make the lifetime as long as you like, for a public CA you're going to be swapping every year (or 379 days if you push it).

captainmish
  • 91
  • 5
  • Traditionally companies I work with were previously utilising ADFS, and so they've gotten used to rotating their AD FS token signing and token decryption certificates each year, thus updating their SSO configurations as a result. I'm going to toy around with seeing if Ansible can export the certs and update the SSO bindings automatically. – user1913559 Aug 16 '22 at 19:48