Reuse the generated keys

Another common practice in SAML-based SSO is to certify request/response XML objects by including XML_Signature. Typically, one reuses the public key for encryption for certification as well. You can generate a new set of keys for this purpose too.

Add the following key-value pair to the SAML strategy config options object

privateCert: PvK,

Add the public key as a signing certificate to your metadata by passing it as the second argument to generateServiceProviderMetadata function:

app.get("/jhu/metadata", (req, res) => {
  res.type("application/xml");
  res.status(200);
  res.send(samlStrategy.generateServiceProviderMetadata(PbK, PbK));
});

Now run the server and head over to http://localhost:7000/jhu/metadata. Notice the <KeyDescriptor use="signing"> element which is added to metadata XML.

Diff
diff --git a/code/index.js b/code/index.js
index 468616d..25c43d4 100644
--- a/code/index.js
+++ b/code/index.js
@@ -18,6 +18,7 @@ const samlStrategy = new saml.Strategy(
     issuer: SP_NAME,
     callbackUrl: `${BASE_URL}/jhu/login/callback`,
     decryptionPvk: PvK,
+    privateCert: PvK,
   },
   (profile, done) => {
     return done(null, profile);
@@ -64,7 +65,7 @@ app.post(
 app.get("/jhu/metadata", (req, res) => {
   res.type("application/xml");
   res.status(200);
-  res.send(samlStrategy.generateServiceProviderMetadata(PbK));
+  res.send(samlStrategy.generateServiceProviderMetadata(PbK, PbK));
 });
 
 // Start the server.