I'm in the process of making changes to my site so that we can be a SAML 2.0 Service Provider.We will be doing Id P initiated SAML with Out-of-Band account federation.
For encryption, what is typical in SAML is to use XMLEncryption, which defines an XML format for including encryption key information and encrypted data in your SAML messages.Please note, here certificate has been extracted from the SAML token itself, therefore if you want to validate the certificate, you must do it in separate way..It means that you need to verify whether certificate is trusted with your trust store. So if your customer wants to include signatures in XML they send you, then they need to provide you with their public key. Every Assertion they send has a signature value which needs to be validated to give them necessary privileges. Digital signatures, on the other hand, use asymmetric keys (private/public key pair), where the signature is computed using the private key, and can be validated using the public key.You may download the code in this guide from https://github.com/signicat/auth.