Starting in Appian 7.11, SAML Authentication is configurable through the Administration Console. This configuration requires a Service Provider Signing Certificate to be provided. This article describes some options for generating a self-signed certificate in the required PEM format. Note that this certificate is only used for signing SAML requests and responses. This article also answers some common questions regarding SAML certificates.
Refer to SAML Configuration for more information.
A certificate in the PEM format can be generated using an OpenSSL-compatible tool, or a certificate in a different format can be converted into the PEM format.
To generate a certificate using OpenSSL:
openssl req -x509 -newkey rsa:2048 -keyout my-certificate.pem -out my-certificate.pem -days 3650 -config CONFIG_FILE_LOCATION
To generate a certificate using Windows Internet Information Services (IIS):
openssl pkcs12 -in my-certificate.pfx -out my-certificate.pem -nodes
What should we set the "common name" to be when generating a certificate?
The common name can be any desired value. There is no restriction on common name from the Appian side.
What is the private key used for when generating the certificate?
The private key will only be used for signing SAML assertions. It will NOT be used for SSL encryption for HTTPS communications.
Can the certificate be signed by any trusted Certificate Authority (CA), like our internal Microsoft CA, or does it need to be a mutually-trusted certificate, such as a certificate signed by Symantec or another CA?
There is no requirement for a CA-signed certificate from the Appian side. For a production environment, Appian Technical Support recommends using a CA signed certificate.
This article applies to Appian 7.11 and later.
Last Reviewed: February 2017
© 2019 Appian. All rights reserved.