Public key

[mamba73]

We have a problem setting the public certificate in the $certificate variable in the SamlResponse.php file.
We generated meta data about the IdP (xml file - with public key of IdP) - which we forwarded to the SP.
On the IdP, we set the public and private key in the $cert and $key variables of the IdP.
Now when we change the public key to any (Self signed), and set it in the $cert variable - the traffic goes through, we can successfully authenticate to the SP.
If we change the private key, the traffic doesn't go through - which is fine.
We are concerned that when we change the public key, the response to the SP goes through and the user can be authenticated.
Do we need to store public key of SP somewhere on IdP or sign the assertion with public key of SP?
Ty,