SAML 2.0 SP metadata: Purpose and the use of certificate -

here part of sp metadata.

reference: metadata oasis security assertion markup language (saml) v2.0

...    <md:keydescriptor use="signing"> <ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">     <ds:x509data>         <ds:x509certificate>         </ds:x509certificate>     </ds:x509data> </ds:keyinfo> </md:keydescriptor> <md:keydescriptor use="encryption"> <ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">     <ds:x509data>         <ds:x509certificate>         </ds:x509certificate>     </ds:x509data> </ds:keyinfo> </md:keydescriptor> ... 

are there benefits choose same (or different) certificate in both signing , encryption certificate ?

what purpose of including signing certificate here ?

if message sent through https, transport layer encryption provided. still need include encryption certificate here ?

in saml 2.0 web sso's metadata providers typically declare same certificate both signing , encryption usage.

there use-cases usage of different keys makes sense - e.g. when sp not supposed able decrypt data provided idp (e.g. nameid or attributes), done ultimate recipient of assertion; or when different party provides content creation of assertion party creates saml messages - use-cases rare , more relevant other profiles web sso.

the signing certificate included in order inform users of metadata on how verify messages provided issuer of metadata. example, when sp receives message idp, uses signing certificate defined in idp's metadata in order verify whether message created idp , wasn't tampered during transport.

you typically don't need include encryption certificate in case encryption done on transport layer , don't perform encryption on message level (e.g. of whole message, assertion, nameid or attributes).