I am new to saml and we just purchased a software running on windows server with iis. This software cant create a metadata file and i am having a hard time to understand how things work. Our IDP based on IBM Secure Verify Access provided a metadatafile and i was able to modify my web.config file. Since i am unable to provide them with our SP side metadata file or at least the x509cert the communication is not working.
My question is can i just create a public and private key pair using openssl or other tools to create my SP metadata file? I am unable to find where to store the private certificate. Can I just save this selfsigned certificate in my windows cert sporage or is this not how things work?
Or does this work totally different and the code of my SP product has to be changed to learn how to handle SP side certificate and where to find and work with the private key?
He basically has the same question: Where do I find info on how does SP use its private key to sign the authentication request and sends it to the URL at the IdP?
Thanks in advance
Lots of different questions here, its always good to try and slim it down to get better answers.
The trust between SP and IDP is typically established by exchaning metadata. When concerning trust the important thing in the metadata is the public key of the certificate. This will be used to verify that messages are actually sent by the other party.
Ofcourse, in order to verify this, the sender must sign the message using the private part of the key. SAML uses XML signatures and in some cases a signature in URL to protect the message end to end. This kind of signing is something that be specifically built into the software you are using. It is not that same as TLS protection. For exact information on how this is done You will have to consult the SAML specification. To get some low level understanding on how it works you could have a look on my blog post on how to do this in OpenSAML.
You can write the metadata file by hand if the software can not generate it. Just make sure that you protect it from manipulation when you transfer it. For some deeper, I have a writeup on how the trust works using metadata on my blog
What software is this?