Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


What certificate must my SP use to sign the SAML authentication request (AuthnRequest)?

The SAML AuthnRequest must be signed with a X.509 certificate. We recommend that you generate a self signed certificate for this purpose, and that you do not reuse the SSL/TLS certificate of your server for this. So you do not need to buy an additional certificate for signing the SAML AuthnRequest.

The SAML Signing certificate:
  • must be self-signed
  • must contain a RSA public key with a public modulus between 2048 and 4096 bits

What does error code


#72588 mean?

The SP did not receive the eduPersonTargetedID (EPTI) attribute. Ask SURFconext support to release this attribute. Please include your SAML EntityID and the error code in your message.

If you are using the guest IdP ensure that your email address is validated at the OneGini service.