ComponentSpace

Forums



Signing Cert for SP


Signing Cert for SP

Author
Message
Matt Olson
Matt Olson
Junior Member
Junior Member (61 reputation)Junior Member (61 reputation)Junior Member (61 reputation)Junior Member (61 reputation)Junior Member (61 reputation)Junior Member (61 reputation)Junior Member (61 reputation)Junior Member (61 reputation)Junior Member (61 reputation)

Group: Forum Members
Posts: 22, Visits: 115
Hello,
I am the developer for an SP Site.  In the past I have talked to someone on this site about whether it is necessary to provide a signing cert for the SP.  I can no longer find the response to that but I seem to recall that it is not really necessary if everyone is on SSL.  Is that still or even true?

Thanks,

- Matt
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi Matt,

HTTPS should be the transport used as per the SAML specification and industry expectations.

The SAML response or assertion sent by the IdP must be signed. The SP needs the IdP's public key (eg idp.cer file) to verify the signature.

If you're supporting SP-initiated SSO, you have the option of signing the SAML authn request sent to the IdP. If you do sign the authn request, you'll need an SP private key (eg sp.pfx file) and you'll supply the IdP with the corresponding SP public key (eg sp.cer file).

Another scenario where you would need an SP private key is if you support SAML logout. The specification recommends that SAML logout messages are signed although this is something you might be able to negotiate with the IdP.

Finally, if the SAML assertion is encrypted, you'll need an SP certificate. The IdP encrypts the SAML assertion with the SP's public key and the SP decrypts it with its corresponding private key. However, encrypting the SAML assertion isn't common practice. 

Regards
ComponentSpace Development
Matt Olson
Matt Olson
Junior Member
Junior Member (61 reputation)Junior Member (61 reputation)Junior Member (61 reputation)Junior Member (61 reputation)Junior Member (61 reputation)Junior Member (61 reputation)Junior Member (61 reputation)Junior Member (61 reputation)Junior Member (61 reputation)

Group: Forum Members
Posts: 22, Visits: 115
ComponentSpace - 7/26/2022
Hi Matt,

HTTPS should be the transport used as per the SAML specification and industry expectations.

The SAML response or assertion sent by the IdP must be signed. The SP needs the IdP's public key (eg idp.cer file) to verify the signature.

If you're supporting SP-initiated SSO, you have the option of signing the SAML authn request sent to the IdP. If you do sign the authn request, you'll need an SP private key (eg sp.pfx file) and you'll supply the IdP with the corresponding SP public key (eg sp.cer file).

Another scenario where you would need an SP private key is if you support SAML logout. The specification recommends that SAML logout messages are signed although this is something you might be able to negotiate with the IdP.

Finally, if the SAML assertion is encrypted, you'll need an SP certificate. The IdP encrypts the SAML assertion with the SP's public key and the SP decrypts it with its corresponding private key. However, encrypting the SAML assertion isn't common practice. 

Excellent, thank you.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You're welcome.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 3 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search