When signing a SAML Response that also has a signed Assertion, should I:
A) Generate the Response signature without the Assertion signature. Then inject the Assertion signature after both signatures have been generated.
B) Generate the Assertion signature and include it when generating the Response signature.
C) Something else?
SAML is awful, every time I read answer they are almost correct, here is the correct algorithm distilled:
Thats it. SAML is completely awful. There are tons of little subtleties that make implementing SAML a nightmare(like calculating the canonical form of a subset of the XML(the assertion), also the XML version of XML documents is not included.
I finished my implementation, I hope never to revisit such pain again.
I believe the correct answer is B). Sign the Assertion first then sign the Response that contains the signed Assertion data. However, if a single Issuer/Entity (STS/IDP/etc) is signing both there is no real reason to sign the Assertion is there? Just sign the Protocol Message/Response which should include the Assertion data. This will cut down on processing requirements at the SP. For Web SSO, I've only ever seen both portions signed when you have a different entity signing the Assertion vs the Response.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With