SAML certificate considerations

For bi-directional trust, WFO and customer IdP exchange x509 certificates. This trust enables verifying the signatures of the messages they receive from each other.

Use the same SAML certificate on all application servers so that SAML requests are signed identically regardless of the signing Application server.

Configure the WFO Application Server with certificate and certificate store. You can acquire the certificate for SAML messages using one of the following methods:

Method	Description	Notes
Customer-signed SAML certificate	Load a customer-signed SAML dedicated x509 certificate into the certificate Keystore.	Recommended approach.
HTTPS certificate	Use the certificate that is created as part of the enabling the HTTPS procedure. This method is relevant when the installation is HTTPS-enabled and has a certificate deployed on the Application server.	Avoid using this method in production environments, as it binds the same certificate to two different usages. Important\| This method is only possible if the TLS certificates are identical on all application servers. For example, when using wildcard certificates or using Subject Alternative Names.
SAML dedicated self-signed certificate	Load a SAML dedicated self-signed certificate in to WFO Keystore.	Avoid using this option in production environments, as the customer IdP requires to trust this self-signed certificate for successful SAML authentication.

Method

Description

Notes

Customer-signed SAML certificate

Load a customer-signed SAML dedicated x509 certificate into the certificate Keystore.

Recommended approach.

HTTPS certificate

Use the certificate that is created as part of the enabling the HTTPS procedure.

This method is relevant when the installation is HTTPS-enabled and has a certificate deployed on the Application server.

Avoid using this method in production environments, as it binds the same certificate to two different usages.

Important| This method is only possible if the TLS certificates are identical on all application servers. For example, when using wildcard certificates or using Subject Alternative Names.

SAML dedicated self-signed certificate

Load a SAML dedicated self-signed certificate in to WFO Keystore.

Avoid using this option in production environments, as the customer IdP requires to trust this self-signed certificate for successful SAML authentication.