In SAML Response should we sign Response or Assertion
When returning SAML Response to SP, most IdP like AzureAD, Okta, Onelogin, GSuite have the following options about signature:
- sign Response
- sign Assertion
- sign Response and Assertion
And without any configuration, for most IdP, the default for signature is to only sign Assertion.
Below is a SAML Response example from AzureAD (the default signing option is sign Assertion). The Assertion is integrity protected and no tampering can be done. However fields other than Assertion, Destination InResponseTo Issuer, can be tampered with, or add/remove without knowledge!
So my question is:
- Why there are 3 kinds of signing? (Response, Assertion, Response & Assertion)
- In which use case should we choose to sign the whole Response, sign the Assertion or sign both Response and Assertion?
- By only signing Assertion (as default by most IdP), do we exposed to any vulnerabilities?
Check Scott's answer from the SOF post
The only requirement for the IdP following the SAML 2.0 spec is to digitally sign the Assertion (see http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf section 4.1.3.5). That is enough to tell if the SSO operation from an IdP should be trusted by SP that has federated with it.
Signing the outer Response is optional. There are some security benefits to it, such as preventing Message Insertion or Modification (see sections 6.1.3/6.1.5 in http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf) - but in practice it's often omitted in lieu of relying on SSL/TLS.
- Assistance with Extending SAML AuthnRequest for AppSwitch Property
- Configuring SAML2: Bypassing 'InResponseTo' Validation While Retaining Default Settings in OpenSaml4AuthenticationProvider
- How to set up AWS Client VPN with Keycloak as IdP
- Response doesn't have any valid assertion which would pass subject validation
- Validate signed assertion embedded in SAMLResponse
- CORS issue using Angular application calling a .NET Core API using Sustainsys.Saml2 library and Azure Active Directory as Identity Provicer
- Logging into SAML/Shibboleth authenticated server using python
- SimpleSAML\Error\Exception: Could not find the metadata of an IdP with entity ID
- Security concerns with providing SAML metadata on public URL
- How to get a SAML token from ADFS sever to pull data from dynamics CRM on-premises (non-sdk) in c#?
- How to add ForceAuthn flag on AWS cognito
- Python Requests - SAML Login Redirect
- How to get SAML token using C#/ASP.NET
- Simple way to put AWS Lambda app behind SAML authentication
- Why wouldn't the IdP initiate contact with the SP in a SAML 2.0 SSO integration?
- How to solve the xmlsec Error: (100, 'lxml & xmlsec libxml2 library version mismatch')
- Mendix and Azure Ad B2C AuthRequest does not have assertion consumer service URL
- Authenticate requests session with login.microsoftonline.com
- Python SSO: pysaml2 and python3-saml
- How to create public and private key with OpenSSL?
- How to change NameID in SimpleSAMLphp
- Add SHA1 to signxml python
- What causes a Responder status in a SAML response
- How to validate a SAML token from ADFS 3.0 in an ASP.NET Core Web API
- Moodle intergration with ADFS--Plugin SAML2 Single sign on
- Python Django ModelViewSet implementation with SAML ACS
- openconnect with gp does not prompt for SAML authentication in command line
- Integrate SAML in Laravel using existing Idp and SP
- Keycloak as a Service Provider - setting up a signing certificate
- Keycloak: Unique SAML endpoint per SAML Client in the same Realm