SAML 2.0 SP Metadata: Purpose and Use of a Certificate
Here is some of the SP metadata.
Ref: Metadata for OASIS Security Markup Language (SAML) V2.0
...
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
...
Are there any advantages to choosing the same (or different) certificate in the signing and encryption certificate?
What is the purpose of including a signing certificate?
If the message is sent over https, transport layer encryption is provided. Do I need to include the encryption certificate here?
source to share
In SAML 2.0, Web SSO metadata providers typically advertise the same certificate to use both signatures and encryption.
There are some use cases where different keys make sense — for example, when the SP itself should not decrypt the data provided by the IDP (such as the ID name or attributes), but this is only done by the final recipient of the Claim; or when another party provides content to create a claim than the party that actually creates the SAML messages — but these use cases are rare and more important to other profiles than Web SSO.
A signing certificate is included in order to inform users of the metadata on how to validate messages provided by the metadata issuer. For example, when an SP receives a message from an IDP, it uses the signing certificate defined in the IDP metadata to verify that the message was generated by the IDP and not modified during transport.
Typically, you do not need to include an encryption certificate in the event that encryption is performed at the transport layer and you are not performing any encryption at the message level (for example, the entire message, claim, name, or attributes).
source to share