Certificate and Validation

A trust relationship is established between the IdP and the SP when both exchange their respective certificates.

All communications (SAML Request and Response) will be signed by the issuing party. The receiving party will use the certificate to validate the received communication.

IdP Certificates

The IdP's certificate is usually available in its metadata file. The certificate will be automatically imported when the metadata file is imported. After import, this certificate can be viewed and managed in the SSO interface. Certificates can also be manually imported. The certificate can be associated to one or both Service Providers (SmartOrg and career section). Each certificate will have a validity period defined by a start data and an end date.

Multiple certificates can be imported for an IdP. At least one has to be valid for SSO connections to be established.

SP Certificates

The SP certificates are available through SP's metadata file. A separate certificate is generated for each SP-IdP combination.

Validation

Upon receiving an assertion, each Service Provider performs the following validity checks.

• Signature – Validate that the assertion has been signed by the IdP.

• Timeout – Validate that the age of assertion has not exceeded a specified timeout period. The age is calculated as the time difference between the moment the assertion was received (by the SP) and the moment the assertion was issued (by the IdP). A timeout period of up to 30,000 milliseconds can be configured.