Create Certificates to Sign SAML Requests

AutomationAn extra feature has become available for organizations that use the SAML protocol to give their people single sign-on access to 4me.  This new feature allows them to add an extra layer of security by ensuring that 4me signs the SAML request that it sends to the organization’s identity provider (e.g. Azure AD, Okta, OneLogin, Google Cloud Identity, etc.) when someone from the organization attempts to open 4me.

Before 4me can sign these SAML requests, a certificate needs to be generated.  Administrators can do this in the new ‘Certificates’ section of 4me’s Settings console.  Creating a certificate is easy.  It only requires the administrator to select a cryptographic algorithm, a start date and an end date.

Creating a SAML signing certificate in 4me

After creating a certificate, the administrator can download its X.509 certificate.  This is the certificate that an organization’s identity provider can use to verify that the public key belongs to 4me.

Download X-509 certificate

To get 4me to use the new certificate to sign the SAML requests that it generates, the owner of the organization’s 4me account goes to the ‘Single Sign-On’ section of the Settings console.  There the account owner can select (one of) the organization’s single sign-on configuration(s) that uses the SAML protocol.  The certificate can then be selected in the optional Signing certificate field that has become available at the bottom of the form.

After selecting a certificate, the Signing algorithm field becomes available to allow the account owner to select an RSA signature algorithm for signing the SAML requests.

Selecting signing certificate in 4me SSO configuration