SSO SAML2.0 implementation in PHP

Question

So I am setting up an SSO implementation FROM my website TO another site. I understand how to build the requests and sign them and all of that stuff. What I am having trouble understanding is the certificates. Who gets what certificate, to be specific. I know how to generate them, but I am not sure if I send over the certificate to the website I am signing into or if they have to generate the certificate and keystore and send us the certificate. There is a little confusion in this part of the process for me that I could use a little help in clarifying.

Since I am accessing their site, it would seem to me that they should generate the certificate and send it to us, and keep the keystore on their machine for the handshake. If I have to generate both, where is the keystore typically kept? We have a couple implementations of this on our site, but the developer that wrote them no longer works here and there is little to no documentation left behind. Also, is the certificate a self-signed certificate that can be used in production? I believe it is, but just want to be sure. Any help in clarification would be greatly appreciated.

Answer 1

It's public key infrastructure (PKI) so you each get the other's public key certificate. It's normally done using the SAML2 metadata profile so you can have their public key certificate.

Looks like you're an IdP if they want the attributes encrypted you need to use their public key to do that. You sign your SAMLResponse to them with your private key and they validate it with your public key. So you each generate your own keys and keep them secret as they are secret keys for signing. You exchange public keys.

You need a certificate for your login endpoint but the other party don't need to see this. They only need your public key certificate for use with the XML exchange and you need their certificate to validate the signature on the SAMLResponse (if you're an SP).

The certificate for working with the SAML XML is normally 10 year self signed.