XML signatures may be used to sign SAML messages, assertions and metadata. For example, a SAML response containing a SAML assertion may be signed. Alternatively, just the SAML assertion may be signed.
An XML signature is contained within a <Signature> element within the http://www.w3.org/2000/09/xmldsig# namespace.
An XML signature ensures any changes to the signed XML may be detected and it identifies who signed the XML.
For example, when an SP receives a signed SAML response from an IdP, if the signature verification performed by the SP is successful, then the SP is assured that the SAML response came from the IdP and that it hasn’t been modified after signing. Therefore, having previously established a trust relationship with the IdP, the SP can safely consume the SAML response sent by the IdP.
The following is an example of a signed SAML response.
A signer signs with their private key and the verifier verifies with the signer’s public key. For example, the IdP signs the SAML response using the IdP’s private key. The SP verifies the SAML response signature using the IdP’s public key or certificate.