Which public key (SP or remote IDP) to use when signing a SAML request

Question

Which public key (SP or remote IDP) to use when signing a SAML request

I am trying to configure my application (SP) to work with a remote IDP. IDP provided me a certificate to configure using SP. Do I use the public key SP or IDP to query SAML? Also, where can I find good resources for a detailed study of SAML (besides the official oasis documents). The tutorials that I find are very simplified (i.e., they just describe that the SP goes to IDP and then redirects back, but without going into the details of SAML messages). Documents oases are confusing. Thanks for any answers.

+4

public-key-encryption signing saml-2.0

doon Dec 23 '13 at 18:25

source share

2 answers

Signing is performed using private keys - not public keys.

So, if a SAML request needs to be signed, SP must use its private key for it. In addition, a certificate containing the SP public key must be provided by IdP to verify the signature.

The reason IdP is giving you its certificate is the SP for checking signed SAML responses sent by IdP.

+5

drox Dec 27 '13 at 7:38

source share

Rob starling · Accepted Answer · 2013-12-25T14:28:20+0000

I'm not 100% sure, but from these two sources it is clear that you must sign with your private key (SP) and share the associated public key with IdP so that they can verify the signature.

Which public key (SP or remote IDP) to use when signing a SAML request

More articles: