...
This article discusses the use of X.509 certificates in Federation metadata. It has security implications so please read it carefully.
A SAML entity uses public key cryptography to secure the data transmitted to trusted partners. Public keys are published in the form of X.509 certificates in metadata whereas the corresponding private keys are held securely by the entity. These keys are used for message-level signing and encryption, and to create secure back channels for transporting SAML messages over SSL/TLS. They are not used for browser-facing SSL/TLS transactions on port 443. See the Key Usage topic for more information.
The InCommon Federation employs the Explicit Key Trust Model, one of several possible metadata trust models. Consequently, the use of long-lived, self-signed certificates in InCommon Federation metadata is strongly recommended. Certificates signed by a Certification Authority (CA) are allowed, and in most situations will work just fine, but the use of certificates other than self-signed certificates is discouraged. See the Background information and the Interoperability notes below for further discussion. The Key Handling topic shows how to create self-signed certificates and how to handle the corresponding private keys.
...