The SAML web site is not longer accepting new posts. Information on this page is preserved for legacy purposes only. For current information on SAML, please see the OASIS Security Services Technical Committee Wiki.

SP certificate - per app or per app-instance

Hi all,

I have a SAML SP app implemented with simpleSamlPHP (

the application can be used by multiple independent organizations (think of a CMS as example).

in order to be able to support some Shibboleth IdPs requirements I have to have my application encrypt its SAML assertions, so I need to work with certificate and provide the IdP with my certificate.


my question is:

should I generate a certificate and private key once for my application, so that all orgazniations (all deployments of the app) will use the same key and certificate? (that would make life easier in terms of setup as well as publishing metadata of my SP).

or should I generate a certificate and private key for every installation of the application? (which means I can only provide metadata of SP after application is installed and certificate has been generated)


many thanks!

Gonen Focus Areas: BPEL | DITA | ebXML | IDtrust | OpenDocument | SAML | UBL | UDDI
OASIS sites: OASIS | Cover Pages | | AMQP | CGM Open | eGov | Emergency | IDtrust | LegalXML | Open CSA | OSLC | WS-I