A certificate in the “.pfx” ​​format is necessary for the work of the SAML protocol. It can be generated, for example, through an OpenSSL application or by using an existing certificate. The certificate file must be copied to the HES server (e.g. the folder with binary files and settings). Then you need to edit the "appsettings.Production.json" file.: "Saml2": { "Issuer": "https://example.com", "SingleSignOnDestination": "https://example.com/Saml/Login", "SingleLogoutDestination": "https://example.com/Saml/Logout", "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "SigningCertificateFile": "saml.pfx", "SigningCertificatePassword": "password", "CertificateValidationMode": "None", "RevocationMode": "NoCheck" }, · Issuer - a random unique IdP name. You can use the host URL, for example, https://example.com. · SingleSignOnDestination - the address of the login page. It should consist of your site address + “/ Saml / Login”. · SingleLogoutDestination - the address of the logout page. It should consist of your site address + “/ Saml / Logout”. · SignatureAlgorithm - a signature algorithm. It should match the algorithm with which the pfx certificate was established. The possible options are SHA1 / SHA256 / SHA384 / SHA512: SHA1: http://www.w3.org/2000/09/xmldsig#rsa-sha1 SHA256: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 SHA384: http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 SHA512: http://www.w3.org/2001/04/xmldsig-more#rsa-sha512. · SigningCertificateFile - the path to the certificate file. · SigningCertificatePassword - the password to the certificate file. · CertificateValidationMode - the certificate validation method: - None - Certificate verification is not performed, - PeerTrust - a certificate is valid if it is in the Trusted People store, - ChainTrust - a certificate is valid if the certificate chain starts in the trusted root certification authority (CA) store, - PeerOrChainTrust - A certificate is valid if it is in the Trusted Persons store, or the certificate chain starts in the trusted root CA store. · RevocationMode sets the mode for checking the revocation of the X509 certificate: - NoCheck - no certificate revocation check is performed. - Offline - validation is performed by using a cached certificate revocation list (CRL) - Online - validation is performed by using a network-connected certificate revocation list.