single-sign-on saml-2.0 federated-identity

Message level security and signing in SSO

I have a general question about keys used in SAML federations.

Normally to establish an SSO, the XML messages and SAML assertions are signed by one partner (IdP or SP).

Normally which partner should sign the message with the private key?

Thanks

Solution

The sender of a message is the one that signs it.

A common message exchange using the SAML2 WebSSO profile is:

The SP (Service Provider) sends an AuthnRequest to the Idp. The AuhtnRequest might be signed by the SP, but doesn't have to.
The Idp (Identity Provider) sends a SamlResponse back to the SP through a HTTP POST. The Idp might sigh the entire SamlResponse or only the contained Assertion(s) or both. If the SamlResponse is not signed, the Assertions must be signed to be trusted.

How to check signature of a token coming from Azure SSO
SSO Integration between 2 webapps using Cognito
Verify Microsoft Access token on my ASP.NET Core Web API
How to set Azure MSAL SSO for my Nextjs14 app using Approuter and next-auth
StackOverflow with Keycloak as login provider returns empty email address
IdentityServer4 and SSO
Spring Boot + Security + MVC + LDAP AD + SSO
Issue with Windows Authentication Type on IIS with Multiple Host Bindings
Generate IDP Certificate in Azure AD for SSO
Disqus SSO, "Your API key is not valid on this domain"
Sign-in With Apple: Possibility To Create Duplicate Account Issue
AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption
MS Graph InteractiveBrowserCredential , Is a Client ID registered in Azure Portal really necessary?
Logout from next-auth with keycloak provider not works
How to validate access token from AzureAD in python?
Outlook SSO NAA in pure JS without node.js
How to create SSO from Liferay to another portal / service?
How to add ForceAuthn flag on AWS cognito
Download file from TeamCity with SSO using bash
Obtain token programatically to go see a page with ASP.NET application
Which is the best sample/approach to start openiddict server to provide logins to wordpress?
No Sustainsys.Saml2 for MVC 3? Are there any alternatives?
Which lib to create an Identity provider to connect to service provider
The page you are looking for cannot be displayed because an invalid method (HTTP verb) is being used
Best way to implement Single-Sign-On with all major providers?
Azure AD token for accessing Graph token
Integration of SSO using MSAL in Angular project gets 401 returned error after login
Simple way to put AWS Lambda app behind SAML authentication
Why wouldn't the IdP initiate contact with the SP in a SAML 2.0 SSO integration?
Log out from SSO kerberos