2

When accepting public keys from someone setting up an identity provider for access to resources protected by a service provider using SAML 2.0, do you absolutely need to have a unique certificate? Is this covered in the SAML specifications?

If they don't, I assume that use of certificates as a layer of defense is rendered void. An example might be someone setting up a test IdP and reusing the certificate for production.

Dave
  • 21
  • 1

2 Answers2

1

It is not specified that the certificates for two idps must be unique. As far as I know you dont even have to have a certificate. But its recommended.

Stefan Rasmusson
  • 426
  • 2
  • 11
1

To expand on Stefan's answer:

I would also ensure that the certificate used for signing is different than the one used for encryption, as well as different from the one the TLS (I hope you aren't still using SSL) is using to secure the communications channel.

In other words... A unique certificate for each thing.

Andrew K.
  • 304
  • 1
  • 7
  • Can you explain why the TLS cert needs to be different from the one used for SAML? – Jens Timmerman Aug 19 '15 at 12:24
  • It doesn't NEED to be different. I'd just suggest it. That way you can revoke one without affecting the other. It may be rare that you would need to, but, it happens. – Andrew K. Aug 19 '15 at 16:22