Some time ago I've worked on setting up SSO user authentication in a web application. The specific IdP was an ADFS server, but I don't think that's very important.
When configuring the application's SSO settings, I noticed that the IdP certificate's fingerprint is required, but not the certificate itself. Now, as I understand, the fingerprint is used by the application to validate the IdP's signature on the issued SAML token.
The question is how can the application verify the signature with just the certificate fingerprint? Doesn't it need the certificate's public key, which is part of the certificate itself, but not of it's fingerprint? How does this signature verification process work?