We have a SAML architecture where we (as the service provider/RP), allow the user to authenticate using their Microsoft account. The assertion is digitally signed by Microsoft (FAL1) and we have an encryption option as well (FAL2). According to NIST (https://pages.nist.gov/800-63-3/sp800-63-3.html),
FAL3: FAL3 requires the subscriber to present proof of possession of a cryptographic key referenced in the assertion along with the assertion itself. The assertion must be signed using approved cryptography and encrypted to the RP using approved cryptography.
What would be an example of such a cryptographic key? In particular, how would I get azure's assertion to reference said key?
