...
Support along with the Onboarding Team Members have the access to login as any MRAO in the system. The process is only used to support a MRAO who has questions regarding SCM or Support/Validation Related issues. In the process any of Sectigo staff needing to login as a MRAO they will notify the MRAO who asked for support or if we deem something is wrong they may just login as prior to responding.
Q: How do I enable SAML?
To enable SAML for admin access to SCM:
- Step 1: If you do not see the "your institution" button on the home page, please set up an IdP Template: under “admin” in cert-manager please select “add template” and then tick the RAO Admin - SSL and the organisation box below that.
- Step 2: make sure that the Sectigo SP is imported in your federation: the entityID is https://cert-manager.com/shibboleth, you can also check https://met.refeds.org/met/search_service/?entityid=cert-manager.com.
- Step 3: check that all the needed attributes are correctly released at the following URL: http://cert-manager.com/customer/<YOURID>/ssocheck/
- Step 4: in the SCM enter the ePPN of the admin you want enable in the "IdP Person ID" field.
To use SAML "self-enrollment" for server certificates (allows users outside of SCM admin to request server certificates):
- Step 1: go to Settings>Organizations>select organization.
- Edit the organization and select the SSL certficates tab.
- Select "self enrollment using SAML". This will provide you with a unique url that can be shared with users.
- The token string used in the url can be changed by administrators if issues occur.
To use SAML in order to allow users to order client certificates:
- https://cert-manager.com/customer/[YOURNREN]/idp/clientgeant.
- Configure your IdP correctly for Sectigo. See below.
- Edit your organization in SCM (Settings>Organizations>select) and set "Academic code (SCHAC Home Organization)" to the same value as your IdP sends for schacHomeOrganization. It will typically be your main domain, but confirm this with your IdP admins.
- Edit your organization object and set "Secondary Organization Name" to the name used in grid certificates (ASCII). Please check existing certificates. As grid certificate subjects are used as "usernames" in systems, it is vital that the whole subject string is kept as it was before for your users.
IdP must release the following information:
| displayName | urn:oid:2.16.840.1.113730.3.1.241 | Johnny Doe | USED for CN. See below |
| cn | urn:oid:2.5.4.3 | John Doe | fallback for CN. See below |
| sn | urn:oid:2.5.4.4 | Doe | fallback for CN. See below |
| givenName | urn:oid:2.5.4.42 | John | fallback for CN. See below |
urn:oid:0.9.2342.19200300.100.1.3 | johndoe@example.edu | yes | |
eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | jd@example.edu | yes |
eduPersonEntitlement | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | urn:mace:terena.org:tcs:personal-user | yes (see authorization) |
schacHomeOrganization | urn:oid:1.3.6.1.4.1.25178.1.2.9 | example.edu | yes |
Q: What is needed to validate an organisation?
...