Reputation: 8919
How to sign a SAML2 assertion with the encryption key(s)
I need to create a SAML2 assertion for a business partner we work with, who now requires a SAML2 SSO. We would be the identity provider.
They sent us their Public Key. We created a public key and sent ours to them. During the creation step, we had the option to exclude the private key and we did so.
I am not sure which combination of keys, and which form of the key (public or private), is used in the signing phase. What do we do with their public key? What do we do with our public and private keys? Do I have to create another version of our key that includes the private key?
Would someone care to offer a simple step by step explanation of a generic signing process, making clear which form of the key is used, and when?
Upvotes: 2
Views: 1375
Answers (1)
Reputation: 5595
First off. You do not give your private key to another entity. The whole point of the private-public key system is that you dont need to share you private key.
Signing is done with your private key and verified using your public key.
Encryption is down using theirs public key and is decrypted using their private key.
Upvotes: 3
Related Questions
- Validate signed assertion embedded in SAMLResponse
- Create SAML Assertion and Sign the response
- SAML Signature validation within Assertion
- How to Sign SAML Response using Open SAML?
- Is it good to sign saml assertion before encrypt it?
- Verify signature on SAML assertion
- How do I correctly digitally sign a SAML2.0 AuthnRequest?
- How to sign an saml 2.0 assertion using the openssl (.PCKS8) file
- Required signature on a SAML assertion
- How to self sign OpenSAML assertion for the version SAML 2.0 using java?