SAML signing and encryption

POST binding certificates

The following sections describe how certificates are used in the RealMe context for both login and assertion service, assuming that POST binding is being used.

Service Provider (SP) authentication request
  • The SAML V2.0 AuthnRequest must be signed using the private key of the Service Provider's certificate.
    • The signing algorithm should match the signing algorithm of the SP certificate.
    • Unlike some other IdPs, RealMe does not require encryption of the AuthnRequest.

Note that the SAML V2.0 AuthnRequest sent via the browser needs to be Safe Base64 encoded.

 RealMe IdP response
  • The AuthnResponse returned by RealMe includes a SAML Assertion that contains the FLT or verified attribute content.
  • The SAML assertion element is encrypted by RealMe using the SP's certificate public key, and this needs to be unencrypted using the SP's private key.
    • The encryption algorithm used by RealMe will be based on the algorithm used by the SP certificate.
  • The SAML response (assertion message) is signed by RealMe using its private key. The SP must validate the signature using the RealMe public key.
    • The signing algorithm used by RealMe is SHA-256.
Certificate key exchange
  • The Service Provider's public key is passed to RealMe in the X509 section of the SP metadata during integration with ITE or Production environments.
  • The RealMe public key is passed to the organisation in the X509 section of the IdP metadata supplied during integration (see step 2).