IAM in Service Catalog
After the IdP successfully authenticates a user, it sends an authentication response back to the SP via a browser redirect. The IdP always uses a digital signature to ensure the origin and integrity of the response to the SP. SPs should always verify the digital signature and reject any IdP responses that fail this test.
Signing and verification are based on the IdP's public/private key pair. The private key is used by the IdP for signing, and the public key, which is published in the IdP's metadata, is used by the SP to verify the digital signature.
Note that the IdP has two options for signing responses: