Why use an x.509 certificate to encrypt xml? Why not just transmit over https?

Question

Don\'t know much about encryption...

Say I\'m preparing a SAML request to submit to an identity provider. Why would I need to apply an x.509 certificate to this request?

Answer 1

In the case of SAML, message-level security (i.e. the XML itself is signed and sometimes encrypted) because the communication involves parties that don't communicate directly. SSL/TLS is for transport-level security, only used between the two parties that are communicating directly and for the duration of this communication only.

Depending on which SAML binding you use, the dialog can look like this (e.g. along the lines of Shibboleth):

• User's browser connects to Service Provider (SP)
• SP gives the user a SAML request, not necessarily visible, but hidden within a form or equivalent.
• User's browser (in a direct connection to the IdP) sends the SAML request to the IdP.
• The user authenticates with it and gets a SAML response back.
• The user's browser sends that SAML response to the SP.

In this scenario, there is no direct SSL/TLS connection between the SP and the IdP, although all 3 parties are involved. (Some variants of this involve a back-end communication between SP and IdP for attributes, but that's a different problem.)

• An SSL/TLS connection wouldn't be sufficient for the IdP to know that the SAML request came from an SP for which it's allowed to authenticate and release attribute, since the connection to the IdP comes from the user's browser, not the SP itself. For this reason, the SP must sign the SAML request message before handing it to the user's browser.
• An SSL/TLS connection wouldn't be sufficient for the SP to know the SAML response came from an IdP it trusts. Again, that's why the SAML response itself is also signed.

What applies to signing also applies to encryption, if the middle party, i.e. the user, isn't meant to see what's in the SAML message and/or if the connection between the user and the SP or IdP isn't over SSL/TLS (usually, it should be over HTTPS).