-
Title
Trust issues occur with the Cloud Access Manager self-signed single sign-out certificate -
Description
Cannot create a federated trust to a service provider or relying party because it reports a certificate is not trusted.
-
Cause
In Cloud Access Manager v8.1 support for federated single sign-out has been implemented; this necessitated adding a new certificate to the federation metadata generated for CAM applications and authenticators. This signing certificate is self-signed and so not automatically trusted by other IdPs and SPs and therefore needs to be added to their trust stores. -
Resolution
RESOLUTION
Add the signing certificate to the 3rd party's trust store where appropriate; this may happen automatically where the 3rd party consumes the metadata URL or XML or it may be necessary to add the certificate manually or where you want to enable single sign-out for a trust that already exists from a pre-8.1 version of Cloud Access Manager; for instance, see the Configuration guide section on configuring a SAML Federated front-end authentication method for instructions on adding the certificate to an ADFS relying party.
Some IdPs and SPs will not have a facility for supporting single sign-out and so will not require this signing certificate, but may still reject the Cloud Access Manager Metadata because they do not trust the signing certificate it contains, SSOCircle is one example of such an IdP; in this case you can work around the issue by manually removing the <signature> element from the Cloud Access Manager metadata XML before uploading it to the 3rd party.