How does trust work between an IDP and a SP in SAML v2.0?

Question

After reading a lot of documentation on the SAML protocol, I still don't understand how the trust between an IDP and a SP works.

I know that both the IDP and the SP must have a "Metadata" file containing an x509 certificate. To establish this trust, the IDP and SP must exchange these Metadata files.

But I don't understand how technically this works. According to my research, many IDPs offer to do this in a graphical way by uploading the metadata files. My final goal is to implement the SAML Protocol in Golang. That's why I would like to understand how it works.

Thanks in advance!

Answer 1

When you first set up a integration between SP and IdP, they exchange a metadata XMLs. The SP gets one from the IdP and the IdP get one from the SP.

It can be exchanged in many ways for example by email, or letting a SP upload it in a form or exposing your metadata on page on you service. The important thing is that SP and IdP get each others matadata and they trust they got it from the right person.

Metadata contain many things like endpoints and supported services, but also public keys. These keys are used to sign messages between the two.

When the SP send messages to the IdP, SP signs with its private key and the IdP verifies with the public key in the SP metadata. And vise versa, When the IdP sends something, it signs it with its private key and the SP verifies it with the public key in the IdP metadata. This way everyone can trust that the message came from the expected sender.

I have some other detail in a blog post I wrote if you need it.

I also agree with @Robby Cornelissen. SAML is not simple, you have to do it right and consequences can be sever.