I am developing SAML2 Service Provider capability (supporting IdP-Initiated SSO).
I understand the general flow is: 1) User authenticates at the IdP. 2) User launches to my SP via an HTTP POST to my SAML endpoint - containing XML token. 3) My SP's Assertion Consumer Service eats that token up, verifies it and logs said user in.
What I don't understand is the certificates / Private Key parts. I understand that the IdP shares a certificate with the SP, and that the certificate is used to verify a SAML token when it arrives... but, I can't find any detail on this (except the official SAML spec, which I really struggle to understand).
My q's are: 1) Who creates the certificate? The IdP or the SP? 2) Who creates the Private Key? The IdP or the SP? 3) How does the Key relate to the certificate? 4) How are the key / certificate shared? 5) How are the key / certificate created?
So, as you see, I just want a PK / Certificate for dummies explanation. In terms of who creates them / how they're created / where they're stored etc...
Many thanks,