Why is digital signature part of SAML assertion file?

0
votes

I need to conduct the SAML Bearer Assertion Flow from OAuth 2 manually via Postman to proof that it works with our backend. Therefore I created my own SAML assertion file using [1] as reference (scroll down a bit to see the sample SAML assertion).

I wonder why the digital signature (value of XML element ds:SignatureValue) is part of the file that contains the SAML assertion. Of course I cannot include the signature inside the thing that is being signed. So I wonder what/which part of the assertion is being signed.

[1] https://help.salesforce.com/articleView?id=remoteaccess_oauth_SAML_bearer_flow.htm&language=en&type=0

1
oauth-2.0digital-signaturesaml-2.0

1 Answers

1
votes

ds:SignatureValue is required in the Assertion to verify that the Assertion part is not modified and intended to be sent by the Identity Provider (IdP) to the Service Provider (SP) only and no one else modified during the transit.

Typically the Assertion part (excluding ds:Signature element) is signed, set at ds:SignatureValue element, related signature details are appended to ds:Signature element and sent to SP by IdP.