SAML: Why is the certificate within the Signature?

Question

I have to implement SSO with SAML for my company\'s website (as the relying party). An essential part off course is the verification of the signature. Here is the signature

Answer 1

The reason a public key is specified in the SAML response is because the metadata for an identity provider can specify multiple public keys. This allows the identity provider (asserting party) to specify to the service provider (relying party) the correct public key to use to verify the signature in the SAML response.

For example, the asserting party's Metadata could look like the following:

    
        
            BQUAMCMBgN...XerfXHHEZYZs=
        
        
            H24a88h7zl...2zo28hH5DK78=
        
    

Although SAML 2.0 does not mandate that the public key be included, I haven't come across any identity providers who do not include the public key in their SAML response. If the public key is not specified with the assertion, then it should be inferable via the identity provider's metadata.

In terms of trusting the public key being sent in the response, the public key must match one that is defined in the identity provider's metadata. These metadata details are usually provided by your customers who want to use SSO to access your application--you will know exactly what public key(s) to be looking for (i.e. you will probably request them to provide you their identity provider's metadata url so you can fetch their metadata and pull down relevant information such as public keys, issuer endpoint, etc).

If the public key supplied with the signature is one that is not specified in the metadata, then the SAML system must generate an error when validating the signature.