📄️ Generate a key pair
SAML security features (signing and encryption) require a key pair: a certificate (public key) and a private key. The certificate is shared with your SAML partners and published in your metadata. The private key must remain secret.
📄️ Security
litesaml/saml supports message signing, signature verification, assertion encryption, and assertion decryption. All security features are configured through descriptor classes (Sp, Idp) and are applied automatically by the wrappers.
📄️ Sign message
Message signing is automatic in litesaml/saml. When a Certificate with a PrivateKey is configured as the signing property on your Sp or Idp descriptor, all outgoing messages are signed without any extra code.
📄️ Verify signature
Signatures are verified inline, at the point of receiving a message. There is no way to verify a signature after the fact on an already-parsed message.
📄️ Encrypt assertion
The IdP can encrypt individual attributes so that only the intended SP can decrypt them. This is done at the attribute level true when calling sendAuthnResponse().
📄️ Decrypt assertion
When the IdP sends encrypted assertions, the SP decrypts them automatically in handleAuthnResponse() — provided the Sp descriptor is configured with an encryption Certificate that includes a PrivateKey.