Handle SAML responses
You can handle SAML responses using SAML metadata. To consume SAML responses that are issued by the GOV.UK Verify hub:
Decrypt the assertion.
Validate the signature on the assertion contained in the response. This assertion is generated and signed by your MSA.
You can use the X509 signing certificate contained in the MSA metadata to validate this signature.
Use this procedure with care. You must trust assertions signed by the MSA only. The GOV.UK Verify hub never issues assertions for consumption by the service endpoint, so make sure that it’s not possible to trust the hub to issue assertions.