Certificates in SWITCHaai Metadata

Why do we need certificates in metadata?

Certificates embedded or referenced in SAML metadata are needed to protect the SAML communication between the Identity and Service Providers. As part of the metadata, it is ensured that the certificates are available at the Identity and Service Providers whenever needed.

What kind of protection do these certificates provide?

On one hand, by signing a SAML assertion, the certificate enables the recipient to properly identify the sender as well as to verify the assertion's integrity. On the other hand, by using the recipient's certificate to encrypt an assertion, the sender ensures that only the intended recipient can access the assertion's content.

Benefits by embedding certificates in metadata

A certificate embedded in metadata is only used as container for the public key. Therefore, it is fully sufficient if they are self-signed, since the trust is established via the digital signature on the metadata file. The signer of the certificate does not matter at all, unlike in the case of web server certificates.
One can directly trust the embedded certificate due to the well-defined process documented in [1] that implements the SWITCHaai Certificate Acceptance Policy when accepting a certificate to be embedded into the SAML metadata file.

References

[1] Process to Manage Embedded Certificates for Federation Metadata

Back to Certificates Overview