Please explain SAML2 Signatures and PKs

2
votes

I am developing SAML2 Service Provider capability (supporting IdP-Initiated SSO).

I understand the general flow is: 1) User authenticates at the IdP. 2) User launches to my SP via an HTTP POST to my SAML endpoint - containing XML token. 3) My SP's Assertion Consumer Service eats that token up, verifies it and logs said user in.

What I don't understand is the certificates / Private Key parts. I understand that the IdP shares a certificate with the SP, and that the certificate is used to verify a SAML token when it arrives... but, I can't find any detail on this (except the official SAML spec, which I really struggle to understand).

My q's are: 1) Who creates the certificate? The IdP or the SP? 2) Who creates the Private Key? The IdP or the SP? 3) How does the Key relate to the certificate? 4) How are the key / certificate shared? 5) How are the key / certificate created?

So, as you see, I just want a PK / Certificate for dummies explanation. In terms of who creates them / how they're created / where they're stored etc...

Many thanks,

1
single-sign-onsaml-2.0

1 Answers

1
votes

The private key would be used by the IDP to sign the SAML tokens that are being generated and sent to the SP. The SP would use the public key certificate to validate the signature in the SAML token.

The private-public key pair will be created by the IDP and the private key kept on the IDP server for use during signing. The public key would be given to the SP as part of the metadata.

I would suggest you read through PKI articles to understand details of a PKI setup. The storage of private keys is very critical since they are used to guarantee that the tokens are not being tampered with.