SAML Keys Format

[Cantor, Scott]

You will never see a (correct) instance of metadata or any other ds:X509Certificate element anywhere with the headers. The relevant standard is XML Signature, and the syntax of that element is a base64-encoded DER-encoded certificate. PEM is simply that format with the headers added. The XML Schema type of the element is called base64Binary. The headers are not valid base64 so they blatantly break the syntax and would choke any validating parser.

> I noticed the metadata/idp-metadata.xml configuration file references

There is no such configuration file. The IdP never uses its own metadata. That file is a dummy example file (really should never have been created, but it's historical) that's just a sample. It should never be used as anything but a starting point for creating the appropriate metadata to give to federations and the like.

> I've seen ADFS SAML 2.0 references contain the certificate headers and footers

I would be surprised, but given that ADFS can't even handle valid metadata, it would be fitting if it accepted something that's clearly invalid.

> and I didn't see the OASIS SAML 2.0 specify whether the headers and footers were needed

Because it's not a SAML element. It comes from XML Signature.

-- Scott