Which public key (SP or remote IDP) to use while signing SAML request

Question

I am trying to configure my application (SP) to work with remote IDP. The IDP provided me with a certificate to configure with SP. For SAML request, do I use SP's public key or IDP's? Also, where can I find good resources to study SAML in detail (apart from the oasis formal documents). The tutorials that I find are very simplistic (i.e. they just describe that SP goes to IDP and then it is redirected back but do not go into detail on SAML messages). The oasis documents are confusing. Thanks for any answers

Answer 1

I'm not 100% sure, but it looks from these two sources that you should sign with your (SP's) private key and share the associated public key with the IdP so they can verify the signature.

• How to created signed AuthNRequest?
• http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf (p.25)

Answer 2

Signing is done using private keys - not public keys.

So, if the SAML request needs to be signed, SP must use its private key for it. Also, a certificate containing SP's public key should be given to the IdP to validate the signature.

The reason for IdP providing you its certificate is for SP to validate the signed SAML responses sent by the IdP.