Hello,
I am the developer for an SP Site. In the past I have talked to someone on this site about whether it is necessary to provide a signing cert for the SP. I can no longer find the response to that but I seem to recall that it is not really necessary if everyone is on SSL. Is that still or even true?
Thanks,
- Matt
Hi Matt,
HTTPS should be the transport used as per the SAML specification and industry expectations.
The SAML response or assertion sent by the IdP must be signed. The SP needs the IdP’s public key (eg idp.cer file) to verify the signature.
If you’re supporting SP-initiated SSO, you have the option of signing the SAML authn request sent to the IdP. If you do sign the authn request, you’ll need an SP private key (eg sp.pfx file) and you’ll supply the IdP with the corresponding SP public key (eg sp.cer file).
Another scenario where you would need an SP private key is if you support SAML logout. The specification recommends that SAML logout messages are signed although this is something you might be able to negotiate with the IdP.
Finally, if the SAML assertion is encrypted, you’ll need an SP certificate. The IdP encrypts the SAML assertion with the SP’s public key and the SP decrypts it with its corresponding private key. However, encrypting the SAML assertion isn’t common practice.
[quote][/quote]
Hi Matt,
HTTPS should be the transport used as per the SAML specification and industry expectations.
The SAML response or assertion sent by the IdP must be signed. The SP needs the IdP's public key (eg idp.cer file) to verify the signature.
If you're supporting SP-initiated SSO, you have the option of signing the SAML authn request sent to the IdP. If you do sign the authn request, you'll need an SP private key (eg sp.pfx file) and you'll supply the IdP with the corresponding SP public key (eg sp.cer file).
Another scenario where you would need an SP private key is if you support SAML logout. The specification recommends that SAML logout messages are signed although this is something you might be able to negotiate with the IdP.
Finally, if the SAML assertion is encrypted, you'll need an SP certificate. The IdP encrypts the SAML assertion with the SP's public key and the SP decrypts it with its corresponding private key. However, encrypting the SAML assertion isn't common practice.
HTTPS should be the transport used as per the SAML specification and industry expectations.
The SAML response or assertion sent by the IdP must be signed. The SP needs the IdP's public key (eg idp.cer file) to verify the signature.
If you're supporting SP-initiated SSO, you have the option of signing the SAML authn request sent to the IdP. If you do sign the authn request, you'll need an SP private key (eg sp.pfx file) and you'll supply the IdP with the corresponding SP public key (eg sp.cer file).
Another scenario where you would need an SP private key is if you support SAML logout. The specification recommends that SAML logout messages are signed although this is something you might be able to negotiate with the IdP.
Finally, if the SAML assertion is encrypted, you'll need an SP certificate. The IdP encrypts the SAML assertion with the SP's public key and the SP decrypts it with its corresponding private key. However, encrypting the SAML assertion isn't common practice.
Excellent, thank you.
You’re welcome.