...
SAML login is activated for the SUNET instance of SCM but you need configure the attribute manually in your Identity Provider due to that the SCM entity in metadata has no defined entity category. The reason behind this is that Sectigo has registered their Service Provider in inCommon and they can't issue the European only entity category .GÉANT Dataprotection Data Protection Code of Conduct.
The following single valued attributes should be released to the entityId https://cert-manager.com/shibboleth:
...
- schacHomeOrganization (urn:oid:1.3.6.1.4.1.25178.1.2.9)
eduPersonEntitlement (urn:oid:1.3.6.1.4.1.5923.1.1.1.7) with the value urn:mace:terena.org:tcs:personal-user
Please note that this entitlement value must only be released for those users that fulfils the requiremtns for requirements for requesting personal certficatescertificates, within Sweden SWAMID Assurance Level 2 Profile.
SWAMID has added the needed attribute release at the end of the current Shibboleth IdP best practice Example of a standard attribute filter for Shibboleth IdP v3.4.0 and above and in Manual attribute releases with ADFS Toolkit. If your Identty Identity Provider uses this example filter uncomment the release configuration for Sectigo SCM and the correct attributes will be released.
...
After your Identity Provider administrators has configured the attribute release you should test it at https://cert-manager.com/customer/sunet/ssocheck. In this test only eduPersonPrincipalName and mail is required but for the upcoming personal certificates givenName, sn and , displayName, schacHomeOrganization and eduPersonEntitlement (not displayed in the test right now) will be required. To further dig down and test you can look at https://cert-manager.com/Shibboleth.sso/Session after a login to see what attributes was released from your Identity Provider and recognised by Sectigo.
Configure SCM
When you have verified that your IdP is correctly configured, you can go on to configure use of SAML authentication:
...