When running Federation Services, what is the usage of SignatureValue
and X509Certificate from a SAMLResponse ?
At first glance, these are to sign and validate the signature the xml
document which forms the SAMLResponse. This preserves the integrity of
the SAMLResponse XML document.
The X509Certificate is the IdP certificate that the SP site has in its
configuration. It will be used to verify the SignatureValue to insure
that the SAMLResponse XML document comes from the IdP and thus the
document can be trusted and that the SAMLResponse XML document hasn't
been modified since it has been signed. The SP side will use the
Certificate public key it has stored in its metadata to validate the
X509Certificate value and the SignatureValue as described in the
Further description of signature (2), the X509Data (3), and the
relationship between the X509Data element and the signature (4)(5).
Signing and Verification Operations
The Policy Server uses a private key/certificate pair for signing and
verification tasks. The private key/certificate pair signs the
assertion, the assertion response, or authentication request. The
specific message that is signed depends on the transaction taking
place and the federation profile in use.
Before any signing transaction, the partner signing the assertion
sends the certificate (public key) associated with the private
key/certificate pair to the partner. This exchange is done as part of
an out-of-band communication. The partner uses the certificate to
verify the signature.
When a transaction occurs, the asserting party includes the
certificate in the assertion, by default. During the verification
process, however, the partner uses the certificate that it stores at
its site to validate the signature.
4.3 The SignatureValue Element
The SignatureValue element contains the actual value of the digital
signature; it is always encoded using base64 [RFC2045].
4.5.4 The X509Data Element
The X509Certificate element, which contains a base64-encoded
SAML 2.0 x509 Certificate and Signature value?
the SignatureValue should be the real calculated digital signature
value, base 64 encoded. X509Certificate is also the base 64 encoded
Purpose of the x509 certificate in metadata files on the IdP side (SSO structure)
When the SP gets a SAML response from the IdP via the browser, it
must verify that the signature it gets comes from an IdP it knows
and what signed using the IdP's private key; this signature can be
verified against the IdP's public key in the certificate configured
in the metadata.