This is standard digital signature verification. The SAML token includes a digital signature, which is essentially a hash of the message, encrypted with the issuer’s private key. The trust store contains the issuer’s public key. The verification step calculates the hash of the received message (using the same algorithm) and also decrypts the signature with the public key. If it matches the calculated hash, you can be confident that the token was issued by the issuer (and that it wasn’t altered on its way through)
1 Like