Versions Compared

Old Version 25

changes.mady.by.user Kent Engström

Saved on

compared with

New Version 26

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

If you have a need to change the text in the emails sent from the system, you can do that under Settings → Templates → Email TemplateIf you do, please report your experience with that feature (good or bad) to tcs@sunet.se.

SAML Configuration

SAML login is activated for the SUNET instance of SCM but you need configure the attribute manually in your Identity Provider due to that the SCM entity in metadata has no defined entity category. The reason behind this is that Sectigo has registered their Service Provider in inCommon and they can't issue the European only entity category .GÉANT Dataprotection Code of Conduct.

The following attributes should be released to the entityId https://cert-manager.com/shibboleth:

  • eduPersonPrincipalName (urn:oid:1.3.6.1.4.1.5923.1.1.1.6)
  • mail (urn:oid:0.9.2342.19200300.100.1.3)
  • displayName (urn:oid:2.16.840.1.113730.3.1.241)
  • givenName (urn:oid:2.5.4.42)
  • sn (urn:oid:2.5.4.4)

SWAMID has added the needed attribute release at the end of the current best practice Example of a standard attribute filter for Shibboleth IdP v3.4.0 and above. If your Identty Provider uses this example filter uncomment the release configuration for Sectigo SCM and the correct attributes will be released.

After your Identity Provider administrators has configured the attribute release you can test it at https://cert-manager.com/customer/sunet/ssocheck. In this test only eduPersonPrincipalName and mail is required but for the upcomming personal certificates givenName, sn and displayName (not displayed in the test) will be required.

To use federated login in the SCM portal you need to go into all your current RAO and DRAO admin accounts (Admins) and change the field Identity provider to "Your institution" and the field IdP Person Id to the eduPersonPrincipalName of the admin. For new admins you use the button Add IdP User instead of the button + Add., don't forget to give the rights to the new admin as described abovePål to write about what needs to be configured on the IdP side, both for general attribute release so it works to authenticate using ones IdP towards the SCM system, and also the specific attributes that will be used to the Sectigo version of the client certificates self-service-via-SAML portal.

Using the REST API

Sectigo REST API documentation can be found at https://support.sectigo.com/Com_KnowledgeProductPage?c=Sectigo_Certificate_Manager_SCM in the "SCM - Sectigo Certificate Manager REST API"  document.

...