This article covers how to extract an Encryption Certificate or Signing Certificate from the Service Provider(SP) Metadata File.
- Service Provider(SP) Metadata File
- Custom Secure Assertion Markup Language (SAML) App
Single Log Out
SAML single logout requires a signature on both sides. In this scenario, the party that initiates the logout sends a signed SAML LogoutRequest to the other, and then the receiver responds with a signed response. Usually, a Signing Certificate is required to configure Single Logout (SLO). The Single Logout (SLO) feature allows a user to sign out of an SLO participating app on their device and end their Okta session.
Encryption
Encryption is done by the Identity Provider (IdP) when sending a SAML response to an SP. Because the IdP uses the SP’s public key, the SP must provide that public key to the IdP during setup. This is included in the SAML metadata or can be provided separately as a standalone certificate.
Extract a certificate from the SP metadata file
-
Download the SP metadata file from the application.
-
Create a new file in a text editor and enter the following text exactly as shown:
-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- - Use a text editor to open the SP metadata file that was saved on the computer.
-
Copy the appropriate line from the SP metadata file.
-
Paste the copied line from the SP metadata file to the blank line between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
- Save the PEM encoded file.
NOTE: Not all Service providers have multiple/separate certificates in their metadata file. Sometimes, only one certificate is visible. For further clarification, please reach out to the Service provider support team.
