Use extended validation certificates
You should use extended validation (EV) certificates for all public interactions with your service. This will protect your users from fraudulent sites imitating your service.
You should also follow recommendations from the National Cyber Security Centre (NCSC) to keep your service secure, including using TLS to protect data.
Use the Verify Service Provider
Your service must be able to send SAML authentication requests to, and receive SAML responses from, the GOV.UK Verify hub.
The Verify Service Provider handles the SAML communications between your service and GOV.UK Verify Hub.
This means that if you’re using the Verify Service Provider, you don’t need to be familiar with SAML to use GOV.UK Verify in your service. Your team only needs to manage JSON.
Using Verify Service Provider will make it easier to:
connect multiple services with GOV.UK Verify - you only need one instance of Verify Service Provider
handle certificate rotations - you can host multiple certificates at a time
You will need to host Verify Service Provider on your own infrastructure.
If you are thinking of not using the VSP, contact the GOV.UK Verify team before you start building your own service provider.