SAML response between IDP and SP

samlresponse sent from idp back to browser, who posts via form to service provider. the response is encrypted with the public key of the service provider

Usually, the SP creates a SAML request, and also creates a form whose action submits the authnRequest value to the IDP. The trick is that the IDP and the SP agree that if the requests is signed with a key that is acceptable, the SP can be sure the IDP has actually verified who the person says they are.

For example, the SP creates the request below…

  <form action='' id='samlPost' method='POST'>
    <input name='SAMLRequest' type='hidden' value='PHNhbWxwOkF1dGhuU<snip>G5SZXF1ZXN0Pg=='>

…and the browser submits it to the IDP…

  <form method="POST" name="hiddenform" action="">
    <input type="hidden" name="SAMLResponse" value="PHNhbWxwOlJlc<snip>lc3BvbnNlPg==" />

…which redirects the browser back to the SP with the signed response…

  <form action='' id='authenticationPost' method='POST'>
    <input name='code' type='hidden' value='Q9ZaCo<snip>MPrPWGw=='>
    <input name='return_to' type='hidden' value=''>