RESOLUTION
Add the signing certificate to the 3rd party's trust store where appropriate; this may happen automatically where the 3rd party consumes the metadata URL or XML or it may be necessary to add the certificate manually or where you want to enable single sign-out for a trust that already exists from a pre-8.1 version of Cloud Access Manager; for instance, see the Configuration guide section on configuring a SAML Federated front-end authentication method for instructions on adding the certificate to an ADFS relying party.
Some IdPs and SPs will not have a facility for supporting single sign-out and so will not require this signing certificate, but may still reject the Cloud Access Manager Metadata because they do not trust the signing certificate it contains, SSOCircle is one example of such an IdP; in this case you can work around the issue by manually removing the <signature> element from the Cloud Access Manager metadata XML before uploading it to the 3rd party.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy