My issue is that my identity provider (idp) does not accept the by jamf SSO generated self-signed certificate. Below I will describe how I got around this issue.
I'm using the jamf cloud service.
- Perform the below steps on a machine with OpenSSL installed
In this example I use the following information
- FQDN: sp.example.com
- entityID: https://example.jamfcloud.com/saml/metadata
Create an OpenSSL config file sp-cert.cnf with the following content. (note: your idp might require you to use different settings here!!)
[req]
RANDFILE=/dev/urandom
default_bits=3072
default_md=sha256
encrypt_key=no
distinguished_name=dn
# PrintableStrings only
string_mask=MASK:0002
prompt=no
x509_extensions=ext
# customize the "default_keyfile,", "CN" and "subjectAltName" lines below
default_keyfile=sp-key.pem
[dn]
CN=sp.example.org
[ext]
subjectAltName = DNS:sp.example.org,
URI:https://example.jamfcloud.com/saml/metadata
subjectKeyIdentifier=hash
Run following command (again your idp might require you to add different parameter here)
openssl req -new -x509 -config sp-cert.cnf -text -out sp-cert.pem -days 1096
You are left with a cert and key file. combine these in a password-protected certificate file (note: that you can use different options for -passout to avoid typing the pw in clear text in your terminal, for me I didn’t care as I performed these steps on my machine, also I don’t really see a point in protecting my key, as it should anyways be stored in a protected environment.)
openssl pkcs12 -export -in sp-cert.pem -inkey sp-key.pem -out sp-cert.p12 -passout pass:<<password>>
The .p12 file can be uploaded to your jamf SSO configuration.
