In SAML Response should we sign Response or Assertion
When returning SAML Response to SP, most IdP like AzureAD, Okta, Onelogin, GSuite have the following options about signature:
- sign Response
- sign Assertion
- sign Response and Assertion
And without any configuration, for most IdP, the default for signature is to only sign Assertion.
Below is a SAML Response example from AzureAD (the default signing option is sign Assertion). The Assertion is integrity protected and no tampering can be done. However fields other than Assertion, Destination InResponseTo Issuer, can be tampered with, or add/remove without knowledge!
So my question is:
- Why there are 3 kinds of signing? (Response, Assertion, Response & Assertion)
- In which use case should we choose to sign the whole Response, sign the Assertion or sign both Response and Assertion?
- By only signing Assertion (as default by most IdP), do we exposed to any vulnerabilities?
Check Scott's answer from the SOF post
The only requirement for the IdP following the SAML 2.0 spec is to digitally sign the Assertion (see http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf section 4.1.3.5). That is enough to tell if the SSO operation from an IdP should be trusted by SP that has federated with it.
Signing the outer Response is optional. There are some security benefits to it, such as preventing Message Insertion or Modification (see sections 6.1.3/6.1.5 in http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf) - but in practice it's often omitted in lieu of relying on SSL/TLS.
- Simple way to put AWS Lambda app behind SAML authentication
- Why wouldn't the IdP initiate contact with the SP in a SAML 2.0 SSO integration?
- How to solve the xmlsec Error: (100, 'lxml & xmlsec libxml2 library version mismatch')
- Mendix and Azure Ad B2C AuthRequest does not have assertion consumer service URL
- Authenticate requests session with login.microsoftonline.com
- Python SSO: pysaml2 and python3-saml
- How to create public and private key with OpenSSL?
- How to change NameID in SimpleSAMLphp
- Add SHA1 to signxml python
- What causes a Responder status in a SAML response
- How to validate a SAML token from ADFS 3.0 in an ASP.NET Core Web API
- Moodle intergration with ADFS--Plugin SAML2 Single sign on
- Python Django ModelViewSet implementation with SAML ACS
- openconnect with gp does not prompt for SAML authentication in command line
- Integrate SAML in Laravel using existing Idp and SP
- Keycloak as a Service Provider - setting up a signing certificate
- Keycloak: Unique SAML endpoint per SAML Client in the same Realm
- Implement single signon (SSO) using SAML in java and AzureAD as IDP
- SSO/SAML trace on Android/iOS
- Firebase , Active Directory - Will AD users get created in Firebase as well?
- Security concerns with providing SAML metadata on public URL
- SOAP Header Invalid Signature on Timestamp
- Error authenticating to SonarQube using SAML Okta
- Why signature need in SAML request for ADFS?
- what is the Best practice for token expiration - Use received token expiry or create and configure JWT expiry?
- SAML, setting ACS Url to localhost for desktop app
- Detect if user is identified and get the data
- Why Statements has only getter and can't be set through the only constructor in Saml2Assertion?
- Is there a way use SAML IDP with Sonatype nexus repository manager?
- Providing a generic PartnerEntity for SAML federation of SAML in Azure B2C