Do not use demo certificates for active saml configurations [Updated in Security Center 1.5]
Control whether demo certificates are used in production SAML configurations.
The demo certificates provided by ServiceNow should not be used in production SAML configurations because they are common among all instances with a known passphrase. If one of the SAML properties using a certificate keystore is active (require_signed_authnrequest, require_signed_logoutrequest, or encrypt_assertion), then the demo data shouldn’t be used. Since demo data is shared among all instances, there is no integrity guarantee of requests signed with shared certificates. Therefore, any message encrypted by the IDP could be decrypted by a bad actor if intercepted.
More information
| Attribute | Description |
|---|---|
| Configuration name | glide.authenticate.sso.saml2.keystore |
| Configuration type | System Properties (/sys_properties_list.do) |
| Data type | string |
| Recommended value | sys_id of a custom keystore |
| Default value | empty string |
| Category | Communications |
| Security risk |
|
| Dependencies and prerequisites | None |