Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Which public key (SP or remote IDP) to use while signing SAML request

Tags:

public-key-encryption

signing

saml-2.0

I am trying to configure my application (SP) to work with remote IDP. The IDP provided me with a certificate to configure with SP. For SAML request, do I use SP's public key or IDP's? Also, where can I find good resources to study SAML in detail (apart from the oasis formal documents). The tutorials that I find are very simplistic (i.e. they just describe that SP goes to IDP and then it is redirected back but do not go into detail on SAML messages). The oasis documents are confusing. Thanks for any answers

like image 449
doon Avatar asked Dec 23 '13 18:12

doon

People also ask

What is IdP and SP in SAML?

The SP redirects the user to the appropriate IdP. The IdP authenticates the user's identity. The IdP creates and signs an XML-based SAML assertion that includes information about the user's identity, along with any other attribute information that the IdP and SP agreed to share to authenticate users.

What is SAML signing key?

Signing Key and Certificate A signing credential is a key pair used for XML Signature, which provides authenticity and integrity at the message level. The public key is bound to a signing certificate in metadata. The private key is securely held by the party that signs the XML message.

What is the use of private key and public key in SAML SSO?

Private key is used to sign SAML messages, while public key is used to encrypt and message so only you can decrypt it, and to verify your signatures. Certificate is published with your SAML metadata and is freely distributed to your relying parties.

What is the difference between IdP and SP?

The IdP determines if the Windows session exists and gets the credentials of the currently logged-in user. It generates a SAML Response. An Identity Provider manages the user's identity and attributes (IdP). And the application user wants to login and access is your service provider(SP).

2 Answers

Signing is done using private keys - not public keys.

So, if the SAML request needs to be signed, SP must use its private key for it. Also, a certificate containing SP's public key should be given to the IdP to validate the signature.

The reason for IdP providing you its certificate is for SP to validate the signed SAML responses sent by the IdP.

like image 90
drox Avatar answered Jan 02 '23 17:01

drox

I'm not 100% sure, but it looks from these two sources that you should sign with your (SP's) private key and share the associated public key with the IdP so they can verify the signature.

  • How to created signed AuthNRequest?
  • http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf (p.25)
like image 22
Rob Starling Avatar answered Jan 02 '23 15:01

Rob Starling
Sign in to Comment

Related questions

How do I verify a JSON Web Token using a Public RSA key?
How to send and receive encrypted email using PHP
How can I fill in RSAParameters value in c#
Java ssh-rsa string to public key
Confused about encryption with public and private keys (which to use for encryption)
Swift 3 export SecKey to String
Create .pem file for public key RSA encryption C# .net
Asymmetric encryption using PHP
Public Key Generation from .cer file not working on Android 28
Android In-app security recommendation - what does this mean?
openssl decryption in javascript in browser
Digital signature public key [closed]
Can org.bouncycastle.openssl.PEMReader read java.security.PrivateKey?
How should an RSA Public Key be exposed over HTTP?
Is KeyFactory thread-safe?
How can I get the public key of a webpage?
Get the key parameter is not a valid public key error in openssl_public_encrypt()
Converting NSData to SecKeyRef
RSA code in matlab
Deserializing public key with python's cryptography module

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!