Hi everyone,
in another post in this forum, I read, that one could e. g. use the same SSL certificate (X.509) for the SAML signing/encryption as e. g. used on a webserver, that is offering HTTPS. For HTTPS it is essential, that the CN equals the hostname, that the user is entering in his/her browser- otherwise it will complain about a non-matching CN. This is for HTTPS traffic.
Now let’s assume I am writing a service, that is going to use the SAML component utilizing a X.509 certificate. I want this service to be valid for any customer… what CN would I choose for this certificate? Has the CN to match the hostname that the SAML services are running on? Would it be ok to choose s. th. general like saml.mycompany.com as CN for the certificate and use it for any type of SAML action?
The certificate check made by browsers doesn't apply at the SAML level. A certificate with a CN of saml.mycompany.com is fine as far as the XML signatures and XML encryption used by SAML. A trust relationship must exist between your company and other organizations participating with you in SAML SSO. These third parties will trust that you are supplying them with the appropriate certificate. This is different from the relationship between an arbitrary user with their web browser and a web application.
Perfect. Thanks!