After the IdP successfully authenticates a user, it sends an authentication response back to the SP via a browser redirect. The IdP always uses a digital signature to ensure the origin and integrity of the response to the SP. SPs should always verify the digital signature and reject any IdP responses that fail this test.
Signing and verification are based on the IdP’s public/private key pair. The private key is used by the IdP for signing, and the public key, which is published in the IdP’s metadata, is used by the SP to verify the digital signature.
Note that the IdP has two options for signing responses:
- Signed response: The entire authentication response is signed. This is the default setting.
- Signed assertions: The attribute statement within the response is signed. This can be configured on a per-SP basis on request.