Why use an x.509 certificate to encrypt xml? Why not just transmit over https?

Question

Don\'t know much about encryption...

Say I\'m preparing a SAML request to submit to an identity provider. Why would I need to apply an x.509 certificate to this request?

Answer 1

All that HTTPS will do is encrypt the communication between two points and prevent eavesdroppers -- it won't confirm who it was that sent the message. Neither will it assure secure communication if your message is then forwarded.

If you sign your request with the X.509 certificate you can be assured the decryptor has the shared secret contained in certificate. In other words, you can be assured the message can only be decrypted by the organisation you want it to be decrypted by.

In your case, the X.509 encryption requirement means that you should be assured that the identity provider is the only organisation that will receive your request.

A useful Wikipedia primer is here.