Hi Matt,
HTTPS should be the transport used as per the SAML specification and industry expectations.
The SAML response or assertion sent by the IdP must be signed. The SP needs the IdP's public key (eg idp.cer file) to verify the signature.
If you're supporting SP-initiated SSO, you have the option of signing the SAML authn request sent to the IdP. If you do sign the authn request, you'll need an SP private key (eg sp.pfx file) and you'll supply the IdP with the corresponding SP public key (eg sp.cer file).
Another scenario where you would need an SP private key is if you support SAML logout. The specification recommends that SAML logout messages are signed although this is something you might be able to negotiate with the IdP.
Finally, if the SAML assertion is encrypted, you'll need an SP certificate. The IdP encrypts the SAML assertion with the SP's public key and the SP decrypts it with its corresponding private key. However, encrypting the SAML assertion isn't common practice.
Regards ComponentSpace Development
|