Do multiple SPs from the same server each need their own public/private keys?

Guillaume Rousse guillaume.rousse at
Fri Aug 17 09:23:05 EDT 2018

Le 17/08/2018 à 14:58, Cody Carmichael a écrit :
> If I have a software product that runs on a server, and this product 
> consists of multiple services that provide their own login to a user, 
> does each SP need its own public/private key pair? Like for example, if 
> I have the following servers:
> So the first server has the following sources of metadata:
> And the second server would have the same. For each server, does each SP 
> need its own unique public cert in its metadata or can the SPs on one 
> server share just one public/private key pair?
A SAML certificate is bound to a SAML entity, ie a given entityID, not 
to a specific SP instance. However, nothing prevents you technicaly to 
share the same certificate for multiple entities hosted on the same SP, 
or even on different SPs. But using a unique certificate also means than 
a compromission, or a rollover issue, affect all applications, whereas 
using multiple ones would limit the impact.

Also, if you're using specific SAML profiles involving direct IdP/SP 
communications, standard TLS constraints applies, and you have to ensure 
consistency between certificate subject and URLs. If you're sharing a 
certificat between multiple applications, that's rather unpractical, 
even using SubjectAlternativeNames.

Guillaume Rousse
Pôle SSI

Tel: +33 1 53 94 20 45

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <>

More information about the users mailing list