Our web application currently has the options for users to turn on and off “WantAssertionEncrypted” on their IDP assertions.
From my understanding they need to assign their assertion with a “public” key that we provide, and we decrypt with a private certificate that we have.
How do we generate the “public key” that we provide to our clients? and likewise how do we reference the certificate used to decrypt on our side (SP)?
Would we assign the decryption cert like this?
//Assign the certificate samlConfiguration.PartnerIdentityProviderConfigurations[idpKey].PartnerCertificateFile = “spCert.cer”
SAML assertions are encrypted by the IdP using the SP’s public key. They’re decrypted by the SP using the SP’s private key.
As the SP, you supply your public key to the IdP. Typically this is done either by supplying them with your .CER certificate file or with the certificate included in your SAML metadata.
The corresponding private key may be stored in a .PFX file and is specified as the local certificate in your SAML configuration. The partner IdP certificate is not involved in SAML encryption. That’s used for signature verification.
Our Certificate Guide offers a number of suggestions for generating self-signed certificates. Of course, you can always use a CA issued certificate if you prefer.
https://www.componentspace.com/Forums/9349/Certificate-Guide
The recently included CreateSelfSignedCert console app project generates a PFX and CER file for you.