samlresponse sent from idp back to browser, who posts via form to service provider. the response is encrypted with the public key of the service provider
Usually, the SP creates a SAML request, and also creates a form whose action submits the authnRequest value to the IDP. The trick is that the IDP and the SP agree that if the requests is signed with a key that is acceptable, the SP can be sure the IDP has actually verified who the person says they are.
For example, the SP creates the request below…
…and the browser submits it to the IDP…
…which redirects the browser back to the SP with the signed response…