What is SPKeyStore used for?

[andofcourse]

I'm trying to understand why we need to provide a certificate to create AuthnRequests. So far, I've generated a random one using dsig.RandomKeyStoreForTest(), and haven't imported this anywhere into my IDP, but everything is working smoothly - so I'm wondering what purpose it serves.

I'm assuming its for a more complex use case?

[russellhaering]

Good question (and probably something that should be better documented). SAML supports signing of AuthnRequests, but support for this among IdPs is pretty variable and I'm not aware of a specific threat model it defends against. Some IdPs simply ignore signatures on requests, but others may return an error if they get a signed request and don't have a certificate, so if you're not using it I'd suggest setting SignAuthnRequests to false, which should let you simply use a nil keystore.

[andofcourse]

Those that do support signed requests will have an option for you to upload a cert, correct? I just haven't seen it yet, thats why I ask

[ptman]

I'm having trouble with signing AuthnRequests. https://www.samltool.com/validate_authn_req.php thinks the signature is invalid, as does one IdP, but testshib (in the past), ipsilon and azure ad saml have accepted authnrequests.