When configuring SAML, the SAML signing certificate is used to establishes a trust relationship between the identity provider and the service provider to ensure that messages are coming from the expected identity and service providers. The SAML signing certificate is used to sign SAML requests, responses, and assertions from the service to relying applications such as WebEx or Google Apps.

The Workspace ONE Access service automatically creates a self-signed certificate for SAML signing to handle the signing and encryption keys. You do not need a certificate from a certificate authority.

However, if your organizations require signing certificates from a certificate authority, you can generate a certificate signing request (CSR) in the Workspace ONE Access console and send it to your certificate authority. When you receive the signed certificate, you upload the external signing certificate to the Workspace ONE Access service, replacing the self-signed certificate.

The SAML metadata and the SAML signing certificate display from the Workspace ONE Access console Resources > Web Apps > Settingspage. Links for the SAML identity provider and service provider metadata files are also available from this page. The metadata includes configuration information and the certificates.