Choose a certificate file

On the Trust page you can select a certificate provided by CyberArk Identity or you can upload your own certificate to establish secure SSO authentication between CyberArk Identity and the web application. Most applications can be configured using the default tenant signing certificate, but if you want to use your own certificate, you can choose -Upload New Signing Certificate- from the Security Certificate drop down menu.

Be sure to use a matching certificate both in the Identity Administration portal and in the application itself.

In most cases the SignatureMethod Algorithm in the certificate matches the DigestMethod Algorithm in the SAML assertion; however, some applications might require a different DigestMethod Algorithm. In those cases, you can use the setDigestMethodAlgorithm method in the SAML assertion script to manually set the DigestMethodAlgorithm.

setDigestMethodAlgorithm specifies the digest method algorithm to use in the SAML response. Possible values are:

  • sha1
  • sha256
  • sha384
  • sha512

The default value is the same as the SignatureMethod algorithm for the signing certificate selected for the app. For example, setDigestMethodAlgorithm('sha256').

To select a signing certificate for an application

  1. Select an application in the Identity Administration portal , then click Trust.
  2. In the Identity Provider Configuration area, expand the certificate section and then select one of the following options:

    Depending on the application, the certificate section might say Security Certificate, X.509 Certificate, Signing Certificate, etc.

    • Default Tenant Application Certificate (default)

      Select this option to use CyberArk Identity standard certificate. This is the default setting.

      Click Download to save the certificate so you can use it during the application configuration process.

      If you replace the certificate, be sure to update the application with the new certificate information.

      Any certificates uploaded to CyberArk Identity tenant from the Settings > Authentication > Platform > Signing Certificates are also shown in the drop down list. You can choose from any of those certificates as well. For more information on uploading certificates to be part of the standard set of available certificates, see Manage tenant signing certificates.
    • -Upload New Signing Certificate-

      Select this option to upload your organization’s own certificate. To use your own certificate, you must enter a name and a password (if the file requires a password) and then click Browse to upload an archive file (.p12 or .pfx extension) that contains the certificate along with its private key. Once uploaded, this certificate will also be listed in the list of certificates in Settings > Authentication > Platform > Signing Certificates and therefore available to all application deployments in the future.

      Upload the certificate from your local storage prior to downloading any IdP metadata. If the IdP metadata is available from a URL, be sure to upload the certificate prior to providing the URL to your service provider.

  3. Click Save.