IDP encryption cert

[benjhoo]

Hi,
I'm new in SAML authentication and I'm a little confused about cert params in passport-saml.

With a simple signing cert from IDP, I made my authentication work, but now I have to authenticate through a IDP server using both encryption and signing certificates.
How can I both set them up ?

<KeyDescriptor use="signing">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate> MIIDMz... == </ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate> MIIDND... Q= </ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate> MIIDND... 4= </ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</KeyDescriptor>

Concerning the certs, if I had to resume the params (tell me if I'm wrong):

• cert = the IDP public signing cert
• privateKey = the SP private key associated to the SP public signing cert
• decryptionPvk = the SP private key associated to the SP public encryption cert

and in the generateServiceProviderMetadata() function:

• decryptionCert = the SP public encryption cert
• signingCert = the SP public signing cert

Last question, If my SP doesn't use an encryption certificate, decryptionCert in generateServiceProviderMetadata() function should be null or the same as signingCert ?

[christian-hawk]

Concerning the certs, if I had to resume the params (tell me if I'm wrong):
cert = the IDP public signing cert
privateKey = the SP private key associated to the SP public signing cert
decryptionPvk = the SP private key associated to the SP public encryption cert

All above are correct .

Notice that your ** decryptionCert** will be used by IDP to encrypt assertions.

I'm not aware of any use-case where the SP send encrypted SAML Requests to IDP, are you sure that's your goal?

Last question, If my SP doesn't use an encryption certificate, decryptionCert in generateServiceProviderMetadata() function should be null or the same as signingCert ?

null