I am trying to configure my application (SP) to work with remote IDP. The IDP provided me with a certificate to configure with SP. For SAML request, do I use SP's public key or IDP's? Also, where can I find good resources to study SAML in detail (apart from the oasis formal documents). The tutorials that I find are very simplistic (i.e. they just describe that SP goes to IDP and then it is redirected back but do not go into detail on SAML messages). The oasis documents are confusing. Thanks for any answers
The SP redirects the user to the appropriate IdP. The IdP authenticates the user's identity. The IdP creates and signs an XML-based SAML assertion that includes information about the user's identity, along with any other attribute information that the IdP and SP agreed to share to authenticate users.
Signing Key and Certificate A signing credential is a key pair used for XML Signature, which provides authenticity and integrity at the message level. The public key is bound to a signing certificate in metadata. The private key is securely held by the party that signs the XML message.
Private key is used to sign SAML messages, while public key is used to encrypt and message so only you can decrypt it, and to verify your signatures. Certificate is published with your SAML metadata and is freely distributed to your relying parties.
The IdP determines if the Windows session exists and gets the credentials of the currently logged-in user. It generates a SAML Response. An Identity Provider manages the user's identity and attributes (IdP). And the application user wants to login and access is your service provider(SP).
Signing is done using private keys - not public keys.
So, if the SAML request needs to be signed, SP must use its private key for it. Also, a certificate containing SP's public key should be given to the IdP to validate the signature.
The reason for IdP providing you its certificate is for SP to validate the signed SAML responses sent by the IdP.
I'm not 100% sure, but it looks from these two sources that you should sign with your (SP's) private key and share the associated public key with the IdP so they can verify the signature.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With