If you want to run you own CA, we wrote a book encouraging those with few crypto skills to at least try (these were the folks with enough programming skills in visual basic to build object servers/components but not build systems). We aimed to complement the CAPICOM library Microsoft eventually released to the same audience - crypto APIs for dummies ..still wanting the assurance that they were using "reputable" and standard security services.

http://www.amazon.com/gp/offer-listing/0201309807/ref=dp_olp_1

Even tho it’s a book about a non SAML entity, it may yet help one to learn to bootstrap a SAML federation - a (distant) family member of the CA ...that we did write about. The step of issuing SAML metadata to bootstrap a federation is analogous to the CA administrator issuing a certificate to an OCSP validation authority (flame shield up).

I doubt that book talked much about it (tho I cannot really remember which control topics I wrote about, any more), Validation Authorities aimed to authorize a farm of servers listening on anycast addresses across the internet to make "status" statements on behalf of a leaf CA. The signatures could be across simple small messages (IETF), or Merkle hash trees (patented). Whereas a Validation Authority validation network might use IETF's signed OCSP messages to dynamically issue (a) signed statement(s) about a static cert to which various attributes about the subject (managed by third parties) may be attached, a SAML IDP issues signed XML "assertions"...to which various attributes about the subject (managed by third parties) may be attached (strangely enough). By fiat, attributes can be entitlements, and attribute contracts would (I grudgingly suppose) implement what a CISSP would probably call a network-/federation- wide non-discretionary security policy by controlling their release (IDP side) and acceptance (SP side).

Be aware that, in the book referenced, there is no academic tone and no text book grade organization of knowledge about the various issues involved in operating a CA. Read it before an exam, you will probably fail. (So don’t!  It was written to make you think, vs score highly on tests.) Note, furthermore, that anyone with a "professional" reputation to uphold in PKI gets as far away from the book (and the book's authors) as possible. It’s a PKI for dummies who would like to be otherwise - which is kind of an oxymoron within the PKI profession. Be aware that the code is 10 years old, written in languages that are not supported any longer by Microsoft, and though the compiled objects are still reputed to work with a modern Windows Server platform, the OS security models have changed so much that one might wish to start again. Actually... please start again!

The main object of the particular writing effort was... to persuade the unwashed, the perhaps-scorned, and the feeling-inept about certificates that they too COULD run their own CA - and then go off and do local integration ...using the (Microsoft) component-ware we focused on.

Peter.

------------

I'm sure that some people think the polite thing would be to say "sorry, we can't help you". And I might do that in some cases, but NOT with this question. Setting up a federation and creating/managing metadata is not something you can just wing. It would be like running a CA with the same level of understanding. It demands a serious response.

FWIW, I'm very glad that you found a solution you're happy with.

-- Scott