ComponentSpace

Forums



Which CN for X.509 certificate?


Which CN for X.509 certificate?

Author
Message
wneessen
wneessen
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 2, Visits: 9
Hi everyone,

in another post in this forum, I read, that one could e. g. use the same SSL certificate (X.509) for the SAML signing/encryption as e. g. used on a webserver, that is offering HTTPS. For HTTPS it is essential, that the CN equals the hostname, that the user is entering in his/her browser- otherwise it will complain about a non-matching CN. This is for HTTPS traffic.

Now let's assume I am writing a service, that is going to use the SAML component utilizing a X.509 certificate. I want this service to be valid for any customer... what CN would I choose for this certificate? Has the CN to match the hostname that the SAML services are running on? Would it be ok to choose s. th. general like saml.mycompany.com as CN for the certificate and use it for any type of SAML action?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K

The certificate check made by browsers doesn't apply at the SAML level. A certificate with a CN of saml.mycompany.com is fine as far as the XML signatures and XML encryption used by SAML. A trust relationship must exist between your company and other organizations participating with you in SAML SSO. These third parties will trust that you are supplying them with the appropriate certificate. This is different from the relationship between an arbitrary user with their web browser and a web application.



Regards
ComponentSpace Development
wneessen
wneessen
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 2, Visits: 9
Perfect. Thanks!
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search