Is it necessary to validate a SAML Assertion

Question

I, as a service provider, am trying to authenticate a user on my page by getting a SAML Assertion (SAML 1.0) from the identity provider (IdP). The following steps are performed (very abstract):

1. User visits my page
2. I redirect the user to the IdP where the user authenticates
3. I get a SAML Artifact with which I request the SAML Assertion from the IdP
4. The IdP sends the SAML Assertion directly back to my page
5. ?

Is this process enough to ensure, that the users authentication is legit? Do I just grant the user access to my service in step 5 or do I have to make sure, that the SAML Assertion is valid, by verifying the signature in the Assertion? If so, how do I do that? Do I miss any other steps?

Answer 1

No, if you are using the artifact resolution protocol you don't need to validate the signature of the assertion if you trust the transport. The transport can generally be trusted if it is a https url and your server has a correct set of trusted root certificates.

Details

The SAML2 standard (core, section 5.3) states that an assertion should be considered properly signed if it is contained in another element that is signed. In the artifact resulotion case it means that a signature covering the entire artifact resolution response message is enough to consider the assertion to be signed.The standard further says that an SAML message received over an authenticated SLL connection MAY be considered properly signed if defined by the profile.

Looking at the WebSSO profile it states that for artifact resolution (profiles, 4.1.4.4) "the dereferencing of the artifact using the Artifact Resolution profile MUST be mutually authenticated, integrity protected, and confidential.". Which IMHO is covered by a properly setup https connection.

But if you are doing SAML2 the full administrative way, you should also have a deployment profile for your specific setup that explicitly defines if an https connection is trusted or not.

Answer 2

My Short personal recomendation: If the IDP already signs the assertion, the key to validate it should be in the Metadata already, validating it should be a easy operation and have big security benefits. So do it.

However... (Long answer) It is always hard to say what is secure and what isn't. That all depends on how secure you need to your site to be. Using assertion is a way of making it more secure.

This way the user itself can not edit the assertion. Signature is a step more secure, that ensures that the assertion came from the IDP and has not ben changed.

Without it there is the possebility of an attacker pretendending to be the IDP, redirecting the artifact to its own server. The attacker could then respond with what ever assertion he wants. Another scenario is that if the assertion is not protected by a signature it could be changed somewhere while on transit on the internet.

With any security controls you have to weigh how important authentication of users are for you and the consecuenses on someone circumventing it.