SAML logout request is not sending cookies to IdP
cookies,https,fiddler,saml-2.0
The answer, as found by a colleague, was that the redirect request was an XHR request since it started in JavaScript and was not a ‘normal’ browser redirect. Cookies are only allowed to be included on cross-domain XHR requests if the destination server allows the requester access. So, the fix...
ADFS/SAML2.0 - How to set Claim Rules through Federation Metadata?
active-directory,saml,saml-2.0,adfs
You have to setup the claimsrules manually (or through powershell). ADFS does not look at that part of the metadata.
SSO: How to synchronize user accounts between service provider and Identity Provider?
In most cases users are created in local databases on SP side the moment user logs in through the IDP for the first time. And as user always has to authenticate through IDP in order to access SP, it is safe (from security point of view) to keep users which...
Spring Security SAML - Signature and Decryption
spring-security,saml-2.0,spring-saml
After spending some time, I found that this is not an issue. The Signature validation doesn't need a JKS keystore, as it is validated using the certificate-data/method in the SAML Response/Metadata. The only keystore required by us at the moment is for the decryption of the assertion and it works...
what this samlssoTokenId used for can it be used for refresh session and get new SAML certificate?
wso2,session-cookies,saml-2.0,wso2is
smalssoTokenId is a cookie, and it's used by WSO2 Identity Server (IS) to find user's SAML session. This cookie is set by IS, so browser will automatically take that to IS whenever a request goes there. That means, if user already has a SAML session at IS side, when s/he...
SAML SP complaining “Invalid digital signature”
There are a few reasons why a digital signature might be seen as invalid. Altered Document: Ensure that the document you are signing is not in any way altered after it is signed. Even the addition of a whitespace character will invalidate the signature. Character Encoding: If your document contains...
wso2is SingleLogoutProfile POST binding
spring-security,logout,saml-2.0,wso2is,spring-saml
HTTP-POST is a front-channel binding and its message exchanges must go through the User-Agent and use HTML form. In case wso2is makes the POST call directly to the SingleLogout endpoint (in a similar fashion as SOAP binding - without involvement of the user agent), they are unfortunately not following the...
How to log SAML response
You can find the actual SAML messages in the server.log file in PingFederate. So ../pingfederate/log is where those live.
SAML 2.0 Decrypting EncryptedAssertion removes a namespace declaration?
The following might solve your issue: Make sure to correctly endorse libraries shipped with OpenSAML Create your Decrypter with the rootInNewDocument property set to true: decrypter.setRootInNewDocument(true); ...
Please explain SAML2 Signatures and PKs
The private key would be used by the IDP to sign the SAML tokens that are being generated and sent to the SP. The SP would use the public key certificate to validate the signature in the SAML token. The private-public key pair will be created by the IDP and...
How to determine authorization rights after a login via SAML SSO
SAML is mainly a authentication protocol but there are still many ways to solve this. SAML supports sending authorization infromation in AuthzDecisionStatement in the assertion. Another alternative is to extend SAML using XACML which is a big framework for transferring Authz information. However the support for these are limited in...
How to use Kentor AuthService to get additional assertion attributes
c#,saml-2.0,claims-based-identity,kentor-authservices
The Kentor.AuthServices SP translates all attributes in the assertion to claims. If you set a breakpoint in your GetNameID method and inspect the claimsIdentity.Claims enumeration all attributes should be there. If they're not, please file an issue on the AuthService github page.
HttpMetadataProvider SAML 2.0
web-services,identity,saml-2.0
OpenSAML contains a metadata provider that can consume SAML metadata from a URL: http://svn.shibboleth.net/view/java-opensaml2/trunk/src/main/java/org/opensaml/saml2/metadata/provider/HTTPMetadataProvider.java Learn OpenSAML and use it, don't roll your own....
HTTP-Redirect Binding SAML Request
single-sign-on,x509certificate,saml-2.0
A1: when using the Redirect binding you put the signature in the URL query parameters A2: all URL query parameters should be url-encoded, just the SAML Request should be compressed and base64-encoded in addition to that. A3: use the PEM format since that is base64 encoded already but leave out...
Spring SAML Sample application returns Could not initialize class org.apache.commons.ssl.TrustMaterial
java,spring,saml-2.0,spring-saml
You're most likely hitting a bug in the underlying OpenSAML and SSL library which presumes that file JAVA_HOME/lib/security/cacerts or JAVA_HOME/lib/security/jssecacerts is present and can be read as a JKS or PKCS12 keystore. In your case the file is probably corrupted. Please try updating the cacerts file in your JDK with...
How to terminate user session from Attask (Workfront) using SAML?
java,jquery,ajax,saml-2.0,attask
I solved the above problem by using https://domain.attask-ondemand.com/logout this url. Now user is able to log out globally from IDP and SP(WF) as well by hitting the given url from my SP. However this URL is not accessible from outside domain due to CORS, so I opened this link in...
Which part of the token that would be used for SAML2 Assertion validation and What are the steps of validating the assertion?
validation,saml-2.0,pingfederate
This isn't going to be the most kosher of answers, but you need to understand why you're doing before you can understand what you're doing. As such, I've compiled a list of the training videos that we host at Ping Identity. I would follow the order that I put them...
OAuth 2 - Custom Attributes like SAML
authentication,oauth-2.0,saml-2.0
SAML is an authentication protocol, OAuth 2.0 is not. This means that OAuth 2.0 and SAML cannot be compared in the way you suggest since OAuth 2.0 does not pass attributes about a user who has just authenticated. On top of that, Just-In-Time (JIT) provisioning is rather independent of SAML...
Can SAML Assertions Be Modified In Transit?
security,single-sign-on,saml,saml-2.0
The assertions in your SAML response SHOULD be signed using a private/public key pair and xmldsig. If they are correctly signed, changing the contents of an assertion will invalidate the signature, and thus the assertion itself. Now, if the service provider doesn't require a signature, or doesn't bother checking the...
SAML 2.0: Solicited vs Unsolicited SSO
When, as you suggest, users will always be initiated from the IDP - and in fact every IDP that the SP is connected to - then there's no need to add SP initiated SSO support to your SP. Of course one may argue that having support for SP initiated SSO...
OIOSAML Maven integration
java,maven,gwt,saml-2.0,opensaml
After manually adding every dependency to our Sonatype Nexus and creating a new maven war project, it finally worked. It doesn't work with our main project though as dependencies are clashing. I guess sometimes it's good to re-invent the wheel to be able to reduce the amount of dependencies clashing....
What to present at SAML EntityID URL?
The requirement is that the EntityId is a URI (not URL, in this case the difference between URIs and URLs is important). See "8.3.6 Entity Identifier" in the SAML2 Core spec. From SAML 2.0 Specification : 8.3.6 Entity Identifier URI: urn:oasis:names:tc:SAML:2.0:nameid-format:entity Indicates that the content of the element is the...
Single Logout Profile
You can find all details on how to send messages using different bindings in the SAML 2.0 bindings part of the SAML 2.0 standard. For details on how to attach signature to a message sent using HTTP-Redirect binding see chapter 3.4. The supported length of redirect URL is unpredictable and...
How to change Spring SAML destination endpoint?
java,spring,saml-2.0,spring-saml
filterProcessesUrl property of samlWebSSOProcessingFilter is correct answer and works fine. In my case, filterProcessesUrl must be set to "/sso". It was not working for me, because I was setting it to full endpoint URL (scheme://server:port/contextPath/sso) rather that just path. As stated in documentation, a few other properties must be set...
SP can be accessed by a number of URLs, how to have all the URLs work with an IDP
Part of the SAML's security model is verification of the intended endpoint - where IDP wants to deliver a SAML message - and endpoint where SP actually received the message - the two need to match. Therefore your SP metadata needs to include correct information about the URL where it...
How to get SAML Response from Ping Federate Service provider to local server?
In PingFederate terminology what you are trying to accomplish is last mile integration after the SAML assertion is processed by the PingFederate server operating in the SP role. There are two approaches that work best for providing subject & attribute information via last mile integration, mainly Agentless Reference ID integration...
How do I configure Spring Security SAML to work with Okta?
spring-security,saml-2.0,spring-saml,okta
I got it to work! The key appears to be setting Request to "Uncompressed". From there, I removed "alias/defaultAlias" since this only seems to work when you set an alias on the ExtendedMetadata. My settings that work on the Okta side: Application label: Spring Boot SAML App Force Authentication: false...
Decrypting SAML 2 assertion using .NET 4.5 (System.IdentityModel) / WIF
I had this problem, too, and I ended up getting past it with something like the answer to this question: How to disable Subject Key Identifier in SecurityTokenResolver Change your existing line ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(serviceTokens.AsReadOnly(), false) to ServiceTokenResolver = new Saml2SSOSecurityTokenResolver(serviceTokens) and add a class like this: private class Saml2SSOSecurityTokenResolver...
SAML2.0 Assertions vs. SAML2.0 Messages
A SAML Assertion is an XML document that represents a set of claims (i.e. name/value pairs) about a user asserted by an Identity Provider. A SAML Assertion is not a SAML message itself, but it is contained in a SAML Response message. Apart from that there are other SAML messages...
How to add new idp metadata in spring-SAML at runtime
spring-security,saml-2.0,spring-saml
The CachingMetadataManager is synchronized and you can add/remove MetadataProviders during runtime by getting the bean from the application context and calling addMetadataProvider/removeMetadataProvider.
Unable to lookup idp connection metadata for entityid='http://sp.example.com/sp'
You can find possible solutions to your problem in Ping's support center: https://www.pingidentity.com/support/solutions/index.cfm/SSO-fails-with-Unable-to-lookup-sp-or-idp-connection-metadata-for-entityid In the server.log, the error "Unable to lookup sp connection metadata for entityid" is seen. This is usually an indication that there is a mismatch between the Partner Entity ID (Connection ID) configured in the IDP-side PingFederate...
Can WIF Saml2SecurityTokenHandler validate top-level signature?
.net,single-sign-on,wif,saml-2.0,claims-based-identity
OK, indeed you are parsing real SAML2 messages. WIF does not support that. WIF probably considers this an unsigned Assertion. I would have to dig in with Reflector and/or the reference source. Any way you would have to do the parsing and verification yourself. And I personally do not use...
PingFederate WS-Fed error Crypto algorithm sha512 not supported in this context
c#,asp.net-mvc-4,saml-2.0,pingfederate
SHA512 isn't supported out of the box for .NET applications (don't ask me why). It can be enabled on a per application basis. See http://stackoverflow.com/a/21435041/280222. This should work if pingfederate picks up the global algorithm list, but I've not worked with pingfederate myself so I'm not sure of the solution....
WSO2IS: SSO session timeout doesn't work
wso2,single-sign-on,saml-2.0,wso2is
How exactly is the session expired on the identity server? By default Identity Server 5.0 have session for 15mins and it only can reduce the time using the web.xml (which is at <IS_HOME>/repository/conf/tomcat/carbon/WEB-INF/ folder) If you installed Service Pack 1 for the Identity Server 5.0, it have the session persistence...
Audience Restriction is missing from SAML 2 response
First, I want to highlight that Identity Server supports for following two profiles. SAML2 SSO Web browser based profile. (SAML2 Assertions are used) More details from here WS-Federation (Passive STS) profile. (SAML Assertion) Normally ASP.NET is by default supports for 2 profile. Therefore you are integrating using Passive STS. It...
Prepare SAML Authentication request using OpenSaml3.1.1
java,saml-2.0,shibboleth,opensaml
This is the reply i got it from official forum: A) An alternative API to be used in OpenSAML 3.1.1 for "SecureRandomIdentifierGenerator" A.1)Using Open SAML 2.6 Sample SessionID generation at SP(non shibboleth SP Component) is given below :: SecureRandomIdentifierGenerator generator = new SecureRandomIdentifierGenerator(); sessionId=generator.generateIdentifier(); A.2)Using Open SAML 3.1.1 ??? The...
Single sign-on support for REST APIs
rest,oauth,oauth-2.0,single-sign-on,saml-2.0
Indeed OAuth 2.0 can be used for this use case because it allows so-called clients (i.e. your unattended processes) to obtain an access token granted by developers and use that token against your APIs. A typical flow to use here is the code flow: you would run an Authorization Server...
Spring Framework SAML unable to find needed beans through autowired
spring-security,saml-2.0,spring-saml
The secret to figure all this stuff out is to look at the sample apps context files and paste in everything, then remove the stuff you don't need. There is a ton of stuff in the sample app that isn't mentioned in the docs. I was able to get it...
SAML - Getting response from the identity provider
Your code: $response = new \SAML2_Response(); actually creates a new SAML 2.0 Response object instead of parsing the one that is posted back from the IDP. This call should be used by an IDP that wants to create a SAML response. You should be looking to execute something like the...
Creating SAML indentity assertion in Spring web app
spring,single-sign-on,saml-2.0,opensaml
OpenSAML is the best (and possible the only) Java library which simplifies low-level handling of SAML messages. You can find examples on how to use it to implement SAML IDP/SP components in source codes of products like Shibboleth or Spring SAML. You can also find some examples in this blog....
Log in to SimpleMebership app using external SAML identity provider
c#,.net,asp.net-mvc,saml,saml-2.0
After discussing it with a colleague I think I figured out the course of actions. Both OAuthWebSecurity and WebSecurity appear to be a part of SimpleMembership, so what I wrote in the question would indicate I want to write a custom membership or reverse engineer SimpleMembership to copy OAuthWebSecurity (which...
Disable SAML token authentication response digital signing
Digital signing of what - the SAML token, the AuthN request ...? In terms of the token - No - that would break security. In terms, of the AuthN request, yes - it's an option in the AuthN request. However, for this to work you would have to liaise with...
Should SSO Request Bindings match between an SP and IdP?
No, an SP can send SSO Requests using the HTTP Redirect binding as long as the IDP is configured to receive those requests over that binding. Separately and IDP can send SSO Responses over any binding that it wants to including HTTP Post as long as the SP is able...
Is exchange of metadata required for a working SAML2 connection?
As addressed in the first answer, exchanging metadata is not required, it is an option. Note that since you're the Service Provider, you're not required (by spec) to sign your messages. The other way around is required of course: the IDP needs to sign its messages. So are you even...
Requested Authentication Method is not supported on the STS
windows-authentication,saml,saml-2.0,adfs,adfs3.0
We have solved this by sending more authentication options and specifying Comparison to minimum <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="minimum" > <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> <saml:AuthnContextClassRef...
SAML marshalling opensaml and java
I've noticed that if you don't initialize ("bootstrap") the SAML configuration, you get a NullPointerException (rather unhelpfully, I might add) when you try to construct the SAML. import org.opensaml.DefaultBootstrap; import org.opensaml.xml.ConfigurationException; try { DefaultBootstrap.bootstrap(); } catch (ConfigurationException ce) { } The above is just a snippet of code to illustrate...
Can trusted credentials be used with SAML?
saml,saml-2.0,adfs,opensaml,pingfederate
I think you're confused between SAML and the authentication mechanism at the Identity Provider (IdP). Ultimately, the limit on credentials is at the IdP. SAML, in and of itself, is agnostic about the authentication mechanism used at the IdP. It simply doesn't care. All it does is provide a standards-based...
How to read the saml response that comes to the “../adfs/ls/”?
asp.net,single-sign-on,saml,saml-2.0,adfs2.0
I'm answering from SAML and not from ADFS. Regarding question 2, i would expect that you would have received a block of XML called SAML Metadata that describes your customer's IDP. In that metadata, i would expect that you would receive your customer's public key (2.4.1.1 Element KeyDescriptor). I don't...
Kentor.AuthServices configuring thumbprint validation
.net,single-sign-on,wif,saml-2.0,kentor-authservices
No, currently (version 0.12.0), there is no way to set an own IssuerNameRegistry. This is however something that I'm looking into, as part of #145. The change is however non-trivial, as it's not just to feed a configured IssuerNameRegistry to WIF because that only covers the case where the assertion...
WIF config: issuerNameRegistry vs. certificateValidation
.net,single-sign-on,wif,saml-2.0,claims-based-identity
IssuerNameRegistry is a lookup table from Thumbprint to EntityID. Only Issuers in that table will be trusted. CertificateValidationMode is additional on top of the table requirement. "None" is almost always the best setting. Because the trust is setup through metadata, normally not through chain trust to a CA. So ChainBuilding,...
Spring SAML credentials and platform accounts
java,spring-security,saml,saml-2.0,spring-saml
You should implement org.springframework.security.saml.userdetails.SAMLUserDetailsService and plug it into the samlAuthenticationProvider bean. In case user doesn't exist you should throw UsernameNotFoundException exception, otherwise just populate and return data from your DB. On top of that you should implement your own org.springframework.security.web.authentication.AuthenticationFailureHandler and plug it into samlWebSSOProcessingFilter bean. This implementation will be...
Spring Boot and SAML 2.0
I realized a sample project in order to show how to integrate Spring Security SAML Extension with Spring Boot. The source code is published on GitHub: spring-boot-saml-integration on GitHub ...
Spring Security SAML assertion expiry with Application Session Expiry
angularjs,session,spring-security,saml-2.0,spring-saml
Spring SAML issues an ExpiringUsernameAuthenticationToken for authenticated users. The token starts returning false in its isAuthenticated() method once the SAML Assertion used to authenticate the user reaches its sessionNotOnOrAfter time. This behavior can be disabled by overriding SAMLAuthenticationProvider and changing method getExpirationDate(credential), which returns time when the Assertion expires, or...
Multiple Adapters in Ping Federate
ldap,saml-2.0,openldap,pingfederate
you can simply use multiple data source. Configure the filter of the other Data source form the unique value of first Data source. ex : uid=${userId} .
wso2is custom authenticationendpoint, redirect page not used
single-sign-on,saml-2.0,wso2is
If you are using WSO2IS 5.0.0 version or higher version, You can simplify edit html file which can be found at IS_HOME\repository\resources\security\sso_redirect.html Following applies to WSO2IS 4.6.0 and older versions It seems to be that redirect page is can not be customized by using some extension. Please see this jira...
SAML login errors
spring,spring-security,saml-2.0,spring-saml
Your IDP is re-using information that user has authenticated earlier (at time identified by Authentication Instant) and Spring SAML is by default configured to not let user login if she's been authenticated more than 7200 seconds ago. It's a security measure - if it's a long time ago since the...
Saml2 Service Provider in Python
Update: A detailed explanation on using PySAML2 with Okta is now on developer.okta.com. Below is some sample code for implementing a SAML SP in Python/Flask. This sample code demonstrates several things: Supporting multiple IdPs. Using Flask-Login for user management. Using the "SSO URL" as the audience restriction (to simplify configuration...
How to get an already issued SAML assertion?
c#,asp.net,saml-2.0,thinktecture
I have found the answer to this. The SAML assertion can be found in the ClaimsIdentity var icp = System.Security.Claims.ClaimsPrincipal.Current; var claimsIdentity = icp.Identity as System.Security.Claims.ClaimsIdentity; var token = claimsIdentity.BootstrapContext as System.IdentityModel.Tokens.BootstrapContext; For this to be populated you need to add the following to the web.config: <identityConfiguration saveBootstrapContext="true"> ...
SAML authnresponse binding
No. For SAML 2.0 Web SSO, you cannot use HTTP-Redirect Binding for the AuthnResponse. Your only valid Bindings are HTTP-POST or HTTP-Artifact. Page 6 of the SAML 2.0 Conformance doc outlines the valid bindings for various scenarios-- http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf...
How the IdP know the name of the variable that contain the authnRequest
saml,saml-2.0,opensaml,simplesamlphp
The attribute name "SAMLRequest" is defined as part of the SAML 2.0 standard. You can find more details about it in http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf, it's in chapter 3.4 HTTP Redirect Binding.
How to use SAML 2.0 AttributeQuery in ADFS?
saml,saml-2.0,adfs,adfs2.0,openam
Unlike OpenAM, ADFS doesn't support SAML 2.0 Query Profiles including the AttributeQuery protocol. The available endpoints and profiles are listed here http://technet.microsoft.com/en-us/library/adfs2-help-endpoints(v=ws.10).aspx The WS-Trust standard (supported by ADFS) has a possibility to define which claims (attributes) should be returned as part of the security token. See an example of issuing...
How to configure Azure ACS to return SAMLResponse parameter instead of RSTR xml?
azure,single-sign-on,wif,saml-2.0,acs
SAMLResponse is part of the SAML2p protocol - ACS does not support that. Maybe have a look at Azure AD instead - http://blogs.technet.com/b/ad/archive/2015/02/12/the-future-of-azure-acs-is-azure-active-directory.aspx...
How to form SP initiated URL for openam/saml2 with ADFS?
single-sign-on,saml-2.0,adfs,openam
The problem was - my IDP forces to use only URN in idpEntityID. The issue is solved. Thanks :)
Implementing Service Provider, IdP and user in java with SAML (POC) [closed]
java,web-services,java-ee,saml-2.0,ws-trust
After a lot of gooogle finally I found this website which will help step by step that how to setup SAML. http://wiki.servicenow.com/index.php?title=SAML_2.0_Web_Browser_SSO_Profile ...
How to configure Custom Attributes in SP metadata
There is no universal answer as it depends on which IDP/federation you use and what is supported by it. Generally, the friendly name is just a human-readable identifier for the attribute and the value can be freely defined. The NameFormat and Name are defined based on Attribute Profile used by...
Connection between SP and IDP in multiple SP SSO scenario
As far as I know it is not specified how the IDP keeps track of security contexts. But I have never seen anything else than cookies. I'm not sure you need the tunnel. There will not be any direct communication between SP1 and SP2 only between the SPs and IDP....
Difference between JWT and SAML?
java,security,spring-security,saml-2.0,jwt
Both SAML and JWT are security token formats that are not dependent on any programming language. SAML is the older format and is based on XML. It's used commonly in protocols like SAML-P, WS-Trust and WS-Federation (although not strictly required). JWT (JSON Web Token) tokens are based on JSON and...
Using WSO2 and OwnUserStore and an own claim
wso2,single-sign-on,saml-2.0,wso2is
I think this is an issue with the user store manager that you have written. As this is a null pointer exception, you can go through the 778 line in the AbstractUserStoreManager and find out, why null has been generated. I guess, This is due to that, in your custom...
Kentor Auth Services - Additional Claim
c#,owin,saml-2.0,kentor-authservices
When using AuthServices (or any external login) together with ASP.NET Identity, the incoming claims are only used for looking up the ASP.NET Identity user in the database. Then incoming user is then discarded completely and the user from ASP.NET Identity is loaded and used In the default MVC5 template, the...
.net 4.5 web forms c# Context of a variable isn't found in Codefile
.net,webforms,code-behind,saml-2.0
Solution: Killed the entire aspx page. created a new one through the studio tools, then merged the aspx and cs files together. Still not sure what went wrong (inheritance linking incorrectly, etc..) but code is now compiling.. Now to add the logging functionality as described above, and then actually add...
Setting Up ADFS 2.0 in Virtual Machine
asp.net,virtual-machine,saml-2.0,adfs,federated-identity
A Server 2012 can run inside of Virtual Box. B When setting up the VM, you will want to choose the Bridged networking networking option. This will make your ADFS guest look like any other computer on your local network....
how to implement a SP saml 2 with mvc?
c#,asp.net-mvc,asp.net-mvc-3,saml,saml-2.0
Yes - it is possible. You need to implement a SAML stack on your side. Refer SAML : SAML connectivity / toolkit and the two links at the top of that post. There are some open-source and some commercial stacks. The commercial ones have a lot of sample code and...
In SAML, is there a difference between usernames and a principal's NameID?
Name identifiers can be anything; an email address or a Kerberos principal name are common, every-day examples of such information. They do not always equal the username. Straight from Shib documentation . Thus you could have a NameID coming back from your IdP as something completely unrelated to the username....
Is there a PingFederate metadata URL?
PingFed doesn't currently have this functionality built in beyond turning on Auto-Connect. It is a current feature request.
SSO implementation using Shibboleth with Google App Engine java
java,google-app-engine,saml-2.0,shibboleth
You can embed Spring SAML Extension (product built on top of OpenSAML) into your application. It will enable you to act as a SAML 2.0 Service Provider. You can see a working demo of such approach at http://saml-federation.appspot.com/ which shows a Spring SAML sample application connected to SSO Circle IDP....
passport-saml and SAML encryption
node.js,encryption,passport.js,saml-2.0,shibboleth
Yes, the cert is the certificate of the identity provider -- not necessarily its HTTPS certificate though. Your shibboleth identity provider should have a provider metadata document. If you haven't already, you probably want to make sure the contents of uwIdpCert matches the <ds:X509Certificate> block in that document. (here is...