Tim
Tim

Reputation: 8919

How to sign a SAML2 assertion with the encryption key(s)

I need to create a SAML2 assertion for a business partner we work with, who now requires a SAML2 SSO. We would be the identity provider.

They sent us their Public Key. We created a public key and sent ours to them. During the creation step, we had the option to exclude the private key and we did so.

I am not sure which combination of keys, and which form of the key (public or private), is used in the signing phase. What do we do with their public key? What do we do with our public and private keys? Do I have to create another version of our key that includes the private key?

Would someone care to offer a simple step by step explanation of a generic signing process, making clear which form of the key is used, and when?

Upvotes: 2

Views: 1375

Answers (1)

Stefan Rasmusson
Stefan Rasmusson

Reputation: 5595

First off. You do not give your private key to another entity. The whole point of the private-public key system is that you dont need to share you private key.

Signing is done with your private key and verified using your public key.

Encryption is down using theirs public key and is decrypted using their private key.

Upvotes: 3

Related Questions