We are using Spring Security SAML
(v1.0.3) in our Java application for SAML SSO with IDP.
Requirement: Accept only signed SAML response messages from IDP, if the SAML response is not signed, then throw an exception.
Actual Result: Even if the signing information is completely missing from the SAML Login response message, it is accepted and Spring Security SAML library doesn't throw an exception.
Observations:
- If wrong signing information is present in the SAML Login response message, then it throws an exception which is correct.
- For Logout messages, we have properties
requireLogoutRequestSigned
andrequireLogoutResponseSigned
in the extended metadata generator that controls whether logout request and response shall be signed or not. - For Login Response message, we have a property
wantAssertionSigned
that indicates whether SP requires signed assertions or not.
Questions:
- Is there any property or an approach in
Spring Security SAML
framework that enables SP to only accept signed Login response (at the message level) from IDP? - Per my understanding, the signing of the SAML Response Message and Assertion are two different things. Is it correct? The property
wantAssertionSigned
only enables signed assertions and not the message.