Single Sign-On with Database Replication - BlueCat Address Manager - 9.2.0

Address Manager Administration Guide

prodname
BlueCat Address Manager
version_custom
9.2.0
In the SSO integration, Address Manager has two distinct certificates:
  • A SSL certificate used to sign and authenticate HTTPS communication
  • A SAML certificate used to sign and authenticate a SAML Request to an IdP

SSL Certificate

In a scenario where Address Manager runs without database replication, Address Manager provides an SSL certificate that has the Common Name (CN) of the Primary server. For example, if the Primary server has a name of bam31.proteus, Address Manager provides a SSL certificate name of bam31.proteus.com.

In a scenario where Address Manager runs with database replication, Address Manager provides an SSL certificate that has the name of the Standby server. For example, if the Primary server has a name of bam31.proteus, Address Manager provides a SSL certificate name of bamany.proteus.com with an alternate name of bam31.proteus.com.

SAML Certificate

The SAML signing certificate is stored in the database and shared by the Standby (and Standby server 2, if available) server to sign all SAML authentication requests. This certificate does not have to be the same as the certificate used for HTTPS communication. However, the FQDN associated with this certificate should be a proxy that redirects to BAM nodes, depending on the DNS resolution. The FQDN should also be one of the names in the HTTPS certificate.