The SAML Response from Id.Signicat is signed with a X.509 certificate. You will always know that an SAML Response really was created by Id.signicat.com and that it was not tampered with by checking the validity of the signature on the response.
Test and production
All installations in the test environment preprod.signicat.com is using a test certificate. The Signicat Connector for Java and .NET will by default check the signature on any SAML Response against this test certificate.
Installations in the production environment will have their own certificates. You will receive a different certificate for the production environment when this environment is created.
You must always use the correct certificate for the correct environment.
Renewal of SAML signing certificates and Signicat's Connectors and Applications
Signicat renews their SAML signing certificates every second year (years ending with odd numbers). Signicat's Connectors and Applications may be affected every time Signicat renews the SAML signing certificates. See this page for an overview.
SAML certificate for production
This is the information you need to connect your system to the production environment if you already is connected to a working configuration in the test environment. The production environment is identical to your test environment, with a few exceptions.
- The SAML signing certificate used to ensure that information sent from id.signicat.com is not tampered with is different
- The name of the SAML signing certificate used to ensure that information sent from id.signicat.com is not tampered with is different
- The url to the service is different
- The default target url should point to your production environment
Also remember that the production environment always is connected to the production infrastructure for all identity solutions. You will have to use real certificates and real passwords for real persons to log in to applications connected to this environment.
SAML certificate and security
It is important to get the certificate configuration right. This certificate is used to secure the connection between id.signicat.com and your application. The information sent between id.signicat.com and your application is sent over internet, and could in theory be tampered with by the user or other individuals with malicious intentions.
You do not have to keep the certificate secret. The certificate is public, and anyone can read it. But it is very important that no one is able to change the certificate file.
1. The SAML certificates
We recommend to install the CA certificate and validate the incoming SAML responses using this certificate.
- SAML certificate for test (2013)
- SAML certificate for prod (2013)
- SAML certificate for test (2015)
- SAML certificate for prod (2015)
- SAML certificate for test (2017)
- SAML certificate for prod (2017)
2. The name of the SAML certificate
The SAML certificates in test and production has different names.
The certificate name in the preprod environment is: CN=test.signicat.com/std, OU=Signicat, O=Signicat, L=Trondheim, ST=Norway, C=NO
The certificate name in production environment is: CN=id.signicat.com/std, OU=Signicat, O=Signicat, L=Trondheim, ST=Norway, C=NO
The name of the certificate is used as input to the library you are using for validating SAML responses from id.signicat.com. You should find the place where this is configured and change the value.
The password is always "changeit" when you receive the file from us.
3: The url to the service
The url to the service is identical to the url in your test environment, except that the first part of the domain name is "id" and not "preprod".
The xxx in the examples above is the name of the service you are using.
4: Default target url
You have provided the default target url for preprod.signicat.com. You should remember to provide the corresponding url's to your application in the production environment.
Manually validating that the certificate is correct
You may want to validate that the installed certificate is correct after installation. Read the certificate "fingerprint" by inspecting the certificate as described above. The fingerprint is a unique string identifying the certificate. The fingerprint will be different if the certificate is wrong or is tampered with in any way.
You may send us the fingerprint by email, mail or fax for verification any time.
The fingerprint is also public information, and does not have to be protected as a secret.