0

If my Identity Provider sends me a Saml2AuthnResponse with an invalid signature in the <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> element, the Unbind() method throws Invalid Signature exception. This is fine and expected.

However, if the <Signature> element is missing altogether (the Saml2AuthnResponse is unsigned), I get no exception at all. Is this expected? Is this a security risk?

The assertions are encrypted and the communication happens via HTTPS. But I'm still a little concerned about the signature being optional for Saml2AuthnResponse. Can I enforce/require the presence of a signature?

nixx
  • 41
  • 1
  • 7

2 Answers2

0

If you have uploaded metadata from your application it should have WantAssertionsSigned="1" specified. In general however you need to ensure that you have selected Sign Assertion, Sign Response or Sign Both in the Identity Providers configuration.

On the application side the SAML library must check to ensure that there is a signature if you are able to specify that you require the Assertion to be signed.

ITfoxtec for instance seems to allow WantAssertionsSigned in the metadata but (at first glance) does not check for it when the Assertion is received.

That is likely a bug if true

Timothy Legge
  • 459
  • 1
  • 4
  • 5
0

A SAML 2.0 Authn response signature is always required.

If the SAML 2.0 Authn response is send using POST binding an XML signature secure the response.

Please see the XML signature validation: https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/src/ITfoxtec.Identity.Saml2/Request/Saml2Request.cs#L228

If on the other hand the SAML 2.0 Authn response is send using redirect binding the signature is placed in the query string (URL).

Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25