Starting in Appian 7.11, SAML Authentication is configurable through the Administration Console. This configuration requires a Service Provider Signing Certificate to be provided. This article describes some options for generating a self-signed certificate in the required PEM format. Note that this certificate is only used for signing SAML requests and responses. This article also answers some common questions regarding SAML certificates.
Refer to SAML Configuration for more information.
A certificate in the PEM format can be generated using an OpenSSL-compatible tool, or a certificate in a different format can be converted into the PEM format.
To generate a certificate using Apache OpenSSL:
openssl req -x509 -newkey rsa:2048 -keyout my-certificate.pem -out my-certificate.pem -days 3650 -config CONFIG_FILE_LOCATION
-----BEGIN RSA PRIVATE KEY-----
openssl rsa -in my-certificate.pem
-----END RSA PRIVATE KEY-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
To generate a certificate using Windows Internet Information Services (IIS):
openssl pkcs12 -in my-certificate.pfx -out my-certificate.pem -nodes
What should we set the "common name" to be when generating a certificate?
The common name can be any desired value. There is no restriction on common name from the Appian side.
What is the private key used for when generating the certificate?
The private key will only be used for signing SAML assertions. It will NOT be used for SSL encryption for HTTPS communications.
Can the certificate be signed by any trusted Certificate Authority (CA), like our internal Microsoft CA, or does it need to be a mutually-trusted certificate, such as a certificate signed by Symantec or another CA?
There is no requirement for a CA-signed certificate from the Appian side. For a production environment, Appian Technical Support recommends using a CA signed certificate.
This article applies to Appian 7.11 and later.
Last Reviewed: March 2021
© 2021 Appian. All rights reserved.