Spring Security Spring SAML 2.0 extention does not use the public certificate imported in the keystore.jks

Describe the bug I am trying to integrate saml 2.0 authentication with keycloak saml. I came across the samples https://github.com/vdenotaris/spring-boot-security-saml-sample and https://blog.codecentric.de/secure-spring-boot-app-saml-keycloak

I implemented the configuration from the sample. From what I know saml requires a public certificate to verify the response. So in the sample, there is a keystore called samlKeystore.jks with a certificate with the alias "ssocircle". There is also a private key with the alias "apollo" which is expired.

When I run the application, I saw that only the private key is used for signing the message. I could not see where the certificate ssocircle is used. I'm able to see the ssocircle login page and able to log in.

I deleted this certificate from the Keystore, and I tried to log in again, I'm still getting the login page and I am able to successfully log in.

It is the same with keycloak as well. The samlKeystore.jks needs to be imported into the keys section of the client. I don't seem to understand the need for the public certificate.

To Reproduce Steps to reproduce the behavior.

checkout the code from https://github.com/vdenotaris/spring-boot-security-saml-sample. in the resources/saml folder delete the ssocircle certificate from samlKeystore.jks, build the project, and run the spring-boot application. When third-party login is clicked, it successfully lands on the login page and allows you to log in.

Expected behavior It should not allow you to log in without a valid certificate.

Sample

A link to a GitHub repository with a minimal, reproducible sample.

https://github.com/vdenotaris/spring-boot-security-saml-sample

I tried to ask and understand this here, but I could get any help. Please help. https://stackoverflow.com/questions/75427866/spring-saml-2-0-does-not-use-the-imported-certificated-in-the-samlkeystore-jks-t

Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.

Comment From: jzheaux

Hi, @manjosh1990, sorry you are having trouble. I have added a comment to your StackOverflow post, and let's keep talking there until it is clear that there is a bug or feature you are requesting here. For the time being, I'll close this issue and we can revisit it if necessary after we finish discussing on StackOverflow.