Metadata exchange question

SAML for ASP.NET Core
1

Hello
I’m working on a POC SSO Integration using SAML v2.0 ASP.NET Core (Idp Initiated workflow, http-post binding).
In the SP metadata file, I see a signing key. Is that key used in the idp initiated workflow ?

My understanding is that the SP need the private key from the Idp Metadata file to verify the signature, and the Idp needs the public encryption key to encrypt the assertions. What is the purpose of the signing key in the sp metadata file in this case ?

Thanks !

2
[quote]
modev - 12/17/2018
Hello
I'm working on a POC SSO Integration using SAML v2.0 ASP.NET Core (Idp Initiated workflow, http-post binding).
In the SP metadata file, I see a signing key. Is that key used in the idp initiated workflow ?

My understanding is that the SP need the private key from the Idp Metadata file to verify the signature, and the Idp needs the public encryption key to encrypt the assertions. What is the purpose of the signing key in the sp metadata file in this case ?

Thanks !

[/quote]

I think I found the answer. The SAML Metadata Guide (available here: https://www.componentspace.com/Forums/9354/SAML-Metadata-Guide) mentions that the X509Certificate (signing) key in the SP metadata is used to sign the SAML authn requests sent by the service provider. In our case, since the workflow is Idp Initiated, the trigger will be clicking a link on the Idp's website, not an AuthnRequest, so practically, that key will not be used.
If somebody could confirm, that would be great.

Thanks !
3

Your understanding is correct.
The SP signs SAML messages using its private key.
These messages are the SAML authn request, as part of SP-initiated SSO, and SAML logout messages.
If you’re not supporting SP-initiated SSO or SAML logout, you don’t need a signing key.
The only other scenario is if the SAML assertion is to be encrypted.
In this case, the SP’s private key is used to decrypt the SAML assertion.
However, encrypted assertions aren’t commonly used.