Signing Certificates
When sending an authentication request to the IdP, Stytch sends a signature along with the request, indicating that the request came from Stytch. This signature can be verified using the Signing Certificate provided by Stytch, in the form of an X.509 certificate. This certificate is present on all SAML connection objects.
Some IdPs may call this a "signed request" or "Signature Validation", or have WantAuthnRequestsSigned="true" in their SAML configuration settings. This certificate should be uploaded to the IdP in order to make use of this optional feature.
You can update the signing certificate for a SAML connection by providing a PKCS1 format RSA private key (starting with "-----BEGIN RSA PRIVATE KEY-----") in the Update SAML Connection endpoint. Stytch will automatically generate a new X.509 certificate from this private key and return it in the signing_certificates array. This private key will also be used to sign future SAML SSO Authenticate Start requests.
Verification Certificates
When receiving an authentication response from the IdP, Stytch will verify that the response actually originates from the IdP.
Stytch will only accept an authentication response from the IdP if the signature of the response is correctly validated with the connection's stored Verification Certificate, which comes from the IdP. This X.509 certificate is uploaded to Stytch and stored with the specific SAML connection. In the API, you can provide the certificate on a SAML update request.
There is a limit of 5 verification certificates per SAML connection. You can delete a connection's certificate by calling the Delete Verification Certificate. endpoint.
When uploading a certificate to an IdP or passing a certificate to Stytch, you may encounter the certificate in the form of a PEM file. The signing certificate from Stytch's Create SAML Connection endpoint is provided as a raw string with newlines.
echo $SIGNING_CERTIFICATE > stytch_signing_certificate.pem