My issue is that my identity provider (idp) does not accept the by jamf SSO generated self-signed certificate. Below I will describe how I got around this issue.
I'm using the jamf cloud service.
In this example I use the following information
- FQDN: sp.example.com
- entityID: https://example.jamfcloud.com/saml/metadata
Create an OpenSSL config file sp-cert.cnf with the following content. (note: your idp might require you to use different settings here!!)
[req] RANDFILE=/dev/urandom default_bits=3072 default_md=sha256 encrypt_key=no distinguished_name=dn # PrintableStrings only string_mask=MASK:0002 prompt=no x509_extensions=ext # customize the "default_keyfile,", "CN" and "subjectAltName" lines below default_keyfile=sp-key.pem [dn] CN=sp.example.org [ext] subjectAltName = DNS:sp.example.org, \ URI:https://example.jamfcloud.com/saml/metadata subjectKeyIdentifier=hash
Run following command (again your idp might require you to add different parameter here)
openssl req -new -x509 -config sp-cert.cnf -text -out sp-cert.pem -days 1096
You are left with a cert and key file. combine these in a password-protected certificate file (note: that you can use different options for -passout to avoid typing the pw in clear text in your terminal, for me I didn’t care as I performed these steps on my machine, also I don’t really see a point in protecting my key, as it should anyways be stored in a protected environment.)
openssl pkcs12 -export -in sp-cert.pem -inkey sp-key.pem -out sp-cert.p12 -passout pass:<<password>>
The .p12 file can be uploaded to your jamf SSO configuration.