OpenSAML user discussion

["Pantvaidya, Vishwajit" <>]

Ok - so the test IdP will sign the saml msg using its own private key and I 
can validate that using its public key that it gives me, right?

And if I need encryption it will encrypt the saml msg using my pub key that I 
give to it when I register. And my SP can decrypt it using my own private key 
right?

--------------------------
Sent from my BlackBerry Wireless Handheld


----- Original Message -----
From: Brent Putman 
<>
To: 

 
<>
Sent: Fri Nov 07 19:12:38 2008
Subject: Re: [OpenSAML] Testing SAML relying party browser post profile

Yes, correct about signatures.

You supply your public key to the IdP when you register, in case you want to 
send signed messages or do client TLS to the IdP (or have the IdP encrypt 
data to you in its responses).

It supplies its public key to you in the form of metadata that you can 
download and consume for validating signatues it generates (or for encrypting 
data to the IdP in your requests).  If your SP implementation doesn't 
directly consume SAML metadata, then just manually extract the IdP's keys and 
other information and store however you like.

The exchange of info between IdP and an SP is generally a 2-way thing.


Pantvaidya, Vishwajit wrote:

        For signatures, don't you sign with the private key and then the 
recipient validates with the public key? So I thought, the test IdP since it 
would generate a signed SAML message would need a private key to test with.


        -----Original Message-----
        From: Scott Cantor 
[mailto:]
        Sent: Friday, November 07, 2008 4:42 PM
        To: 

        Subject: RE: [OpenSAML] [OpenSAML2] Testing SAML relying party 
browser post profile



                The test IdP seems just right. Does it let me provide my own


        public-private


                or secret keys that I generated to test my SP?



        You have to supply metadata, which includes the public key. Your 
private key
        is your business.

        -- Scott