Saml: Is it necessary to trust and verify public key for ssl when the artifact response is signed?

I've made an implementation based on this with a FilesystemMetadataProvider: https://github.com/vdenotaris/spring-boot-security-saml-sample

To make the SSL handshake for the artifact binding work I put the SSL sertificates for the endpoint in the idps metafile(I tried to put both the leaf and CA in the cacerts on the jre and trust store of the server but that didn't work).

I don't want the extra maintenance for generating the certificates and modifing the Idps metafile when the leaf certificate changes.

Is it really necessary to mess with the transport layer? Isn't it enough to check that the SSL certificate is valid and after that check the signature of the Assertion?

Solution

I asked the IDP. They say that few choose to trust the SSL certificate and it should be enough to validate the SSL certificate and check the signature in the Assertion.

MSIS0037: No signature verification certificate found for issuer
Configuring SAML2: Bypassing 'InResponseTo' Validation While Retaining Default Settings in OpenSaml4AuthenticationProvider
pac4j saml changes session (creates new one) during callback
How do I set up a local test SAML2.0 Identity Provider?
How to implement SAML in asp.net?
SAML SSO failure - "Reason: Destination is invalid."
Pac4j SAML Akka Http Integration: Custom logic on callback
How am I supposed to handle an expiring SAML certificate as an SP?
Why is Keycloak resulting in "Cookie not found" error after IDP initiated login?
SHIBBOLETH SP - Shibboleth handler invoked at an unconfigured location - Shibboleth.sso/Session/
Validate signed assertion embedded in SAMLResponse
How to enable SAML as authentication provider in MS Entra?
Should I require IdP's to sign SAML2 SSO responses?
Azure as SAML 2.0 Service Provider
Cannot authenticate SAML because response not have signature block in it
Azure B2C modify SAML AccessTokenLifetime
Authenticate Vue 2 SPA via SAML 2.0 and ADFS
Logging into SAML/Shibboleth authenticated server using python
Generate IDP Certificate in Azure AD for SSO
Security concerns with providing SAML metadata on public URL
Sustainsys.Saml2 No cookie preserving state from the request was found
Unable to login to AWS via SAML getting Response signature invalid
How do you transform SAML 2 claims to readable values?
Which lib to create an Identity provider to connect to service provider
Getting part of a SAML object in c#
How to get SAML token using C#/ASP.NET
Why wouldn't the IdP initiate contact with the SP in a SAML 2.0 SSO integration?
How to configure grails-spring-security-saml plugin version 5.0.0-RC3 for https applications
AADSTS900235: SAML authentication request's RequestedAuthenticationContext Comparison value must be 'exact'. Received value: 'Minimum'
Why can't I get my ASP.NET web app to work with IT FoxTec SAML?