ゆるテックノート

IdP / SP Certificates Basics

SAML relies on X.509 certificates for signing and encryption. Learn the roles and operational tips to avoid outages during rotation or revocation.

🔑 Roles of Certificates

Signing and encryption have different purposes. KeyDescriptor in metadata indicates their use.

Use cases

Item Description
Signing Validates SAML Response/Assertion integrity and issuer. SP verifies with the IdP signing cert.
Encryption Protects attributes via Encrypted Assertions. Encrypt with SP public key, decrypt with SP private key.
Placement IdP provides signing certs in metadata. SP provides its certs in metadata for signing/encryption.

How IdP certificates are used

  • 🧭 IdP signs Response/Assertion; SP verifies with the IdP public key.
  • 🧭 Mostly for signing on the IdP side; encryption typically uses the SP public key.
  • 🧭 Publish under use="signing" in metadata; during rotation, list old/new in parallel.

How SP certificates are used

  • 🧭 IdP encrypts Assertions with the SP public key for confidentiality.
  • 🧭 If SP signs LogoutRequest, it uses its private key; IdP verifies with SP public key.
  • 🧭 Include the SP public key in metadata with use="signing" / use="encryption" as needed.

🧭 Operational Tips

Define how you rotate and check certs to avoid certificate-related outages.

Rotation

  • Publish old and new certs in parallel before expiry to allow a grace period.
  • Update metadata first and keep IdP/SP in sync.
  • If key pinning is used, mind the rollout order.

Revocation checks

  • Enable CRL/OCSP checks when available.
  • Keep NTP in sync; time drift affects revocation validation.
  • Separate test and production certs to avoid mix-ups.

📑 Handling in Metadata

Metadata is the source of truth between IdP and SP; verify usage and validity regularly.

Checks

  • KeyDescriptor has correct use="signing" / use="encryption".
  • Certificate validity period and Subject/Issuer are as expected.
  • No extraneous line breaks or headers in exported certs.

Signed metadata handling

Per the OASIS metadata spec, verify the metadata signature and distribute it over a trusted channel.

  • Always verify the metadata signature with trusted keys.
  • Keep the download URL stable and validate signatures periodically to detect tampering.
  • Ensure entityID uniqueness and avoid mixing unintended entities.

🧾 Required vs Optional Usage

Decide the baseline checks as mandatory and apply optional ones based on your security posture.

Required (effectively required)

  • Verifying IdP-signed Response/Assertion with the IdP signing certificate
  • Publishing signing certs in metadata so SP can validate

Depends on requirements (optional/recommended)

  • Encrypting Assertions with the SP public key; mandatory if confidentiality is required
  • Signing SP-issued messages (AuthnRequest/LogoutRequest); sometimes required by policy
  • CRL/OCSP revocation checks; enable when provided
< SAML Signature Basics Handling SAML Attributes and Mapping >