SAML 2.0 SP metadata: Purpose and the use of certificate

metadata saml-2.0 service-provider
15,222

In SAML 2.0 Web SSO's metadata providers typically declare the same certificate for both signing and encryption usage.

There are some use-cases where usage of different keys makes sense - e.g. when SP itself is not supposed to be able to decrypt data provided by IDP (e.g. nameID or attributes), but this is only done by the ultimate recipient of the Assertion; or when a different party provides content for creation of assertion than the party who actually creates the SAML messages - but those use-cases are rare and more relevant for other profiles than Web SSO.

The signing certificate is included in order to inform users of the metadata on how to verify messages provided by the issuer of the metadata. For example, when SP receives a message from IDP, it uses signing certificate defined in IDP's metadata in order to verify whether the message was created by the IDP and wasn't tampered with during transport.

You typically don't need to include the encryption certificate in case encryption is done on transport layer and you don't perform any encryption on message level (e.g. of whole message, assertion, nameID or attributes).

Share:
15,222
tony.0919
Author by

tony.0919

Updated on June 18, 2022

Comments

  • tony.0919
    tony.0919 almost 2 years

    Here is the part of SP metadata.

    Reference: Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0

    ...   
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:X509Data>
        <ds:X509Certificate>
        </ds:X509Certificate>
    </ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:X509Data>
        <ds:X509Certificate>
        </ds:X509Certificate>
    </ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
...

    Are there any benefits to choose same (or different) certificate in both signing and encryption certificate ?

    What is the purpose of including signing certificate here ?

    If the message is sent through https, a transport layer encryption is provided. Do we still need to include encryption certificate here ?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Is there a way to provide SAML sp implementation using an Apache filter?
Flutter: youtube_player_flutter Unable to fetch the metadata
How can I fetch the metadata of audio files in flutter?
Flutter AndroidManifest Error
C# Reading Video Metadata in Windows (Title,description,year)
How to read database and table metadata from MS SQL server with minimum permissions
When using <ui:composition> templating, where should I declare the <f:metadata>?
SAML 2.0 based Authentication for iPhone application
Spring security Saml - Time difference between SP and IDP
"Signature did not validate against the credential's key" with Junos as IdP