Certificates in SAML are used only as a convenient way to process signature keys and encryption. Typically, keys are transmitted either through metadata or through some secure certificate transfer to parties involved in the SAML exchange. Thus, there is no need to check certificates with a government agency.
This is also indicated in the SAML metadata specification (line 697).
This specification does not indicate either the permissible or proposed content of this element, nor its significance to the relying party. As a specific example, no consequences should be assumed of including an X.509 certificate by value or reference. Its validity, renewals, revocation status and other relevant content may or may not apply at the discretion of the relying party.
Therefore, I would just continue to use a self-signed certificate.
But if you want to buy a certificate, it must have a "digital signature" and "key encryption." Regular SSL certificates (at least the ones I checked) really contain these uses.
The use of a "digital signature" should be self-evident. "Key encryption" is due to the fact that the key in the certificate is not used for direct data encryption. Data is encrypted using a symmetric key algorithm, suitable for large amounts of data. This key is then encrypted using the RSA key (RSA is suitable for small data such as an encryption key). Thus, the RSA key is used to encrypt / encrypt the key.
Anders abel
source share