Before establishing a trust relationship between a SAML service provider and an IdP, the two services must have well-established, cryptographically secure identities. This identity information must be exchanged so that the service provider (SP) knows who its IdP is and vice versa.

The exchange is performed by having each service generate a metadata XML file that is then provided to the other service. By default, the identity certificate/private key files used by Carbon Black EDR (acting as the SAML service provider) is /etc/cb/cert/cb-server.[crt,key]. This identity is also used for server-sensor authentication and for web user interface HTTPS server authentication.

You can also configure Carbon Black EDR to use a separate set of certificate/key files for SSO by updating configuration fields in the SSO configuration file.