Certificates and Secrets

SAML 2.0 secrets for hosted SP or IDP entities are managed by the secrets API, which lets you rotate certificates using secret mappings. This only applies to hosted entities; certificates for remote entities are derived from SAML 2.0 metadata provided by the third party.

The following certificates are used in SAML 2.0 flows with the corresponding secret mappings.

CertificateAM RoleThird-party RoleAM Use CaseThird-party Use CaseSecret
Hosted IDP signing certificateHosted IDPRemote SPSign outbound SAML assertionsValidate inbound signed SAML assertion

am.applications.federation.entity.providers.saml2.secret identifier.signing [a]


Hosted IDP encryption certificateHosted IDPRemote SPDecrypt inbound encrypted SAML requestsEncrypt outbound SAML requests

am.applications.federation.entity.providers.saml2.secret identifier.encryption [a]


Hosted SP signing certificateHosted SPRemote IDPSign outbound signed SAML requestsValidate inbound signed SAML requests

am.applications.federation.entity.providers.saml2.secret identifier.signing [a]


Hosted SP encryption certificateHosted SPRemote IDPDecrypt inbound SAML assertionsEncrypt outbound SAML assertion

am.applications.federation.entity.providers.saml2.secret identifier.encryption [a]


[a] If defined, this secret is used; otherwise the default (in brackets) is used

Read a different version of :