I have a general question about keys used in SAML federations.
Normally to establish an SSO, the XML messages and SAML assertions are signed by one partner (IdP or SP).
Normally which partner should sign the message with the private key?
Thanks
The sender of a message is the one that signs it.
A common message exchange using the SAML2 WebSSO profile is:
AuthnRequest
to the Idp. The AuhtnRequest
might be signed by the SP, but doesn't have to.SamlResponse
back to the SP through a HTTP POST. The Idp might sigh the entire SamlResponse or only the contained Assertion(s) or both. If the SamlResponse is not signed, the Assertions must be signed to be trusted.