If my Identity Provider sends me a Saml2AuthnResponse
with an invalid signature in the <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
element, the Unbind()
method throws Invalid Signature
exception. This is fine and expected.
However, if the <Signature>
element is missing altogether (the Saml2AuthnResponse
is unsigned), I get no exception at all. Is this expected? Is this a security risk?
The assertions are encrypted and the communication happens via HTTPS. But I'm still a little concerned about the signature being optional for Saml2AuthnResponse
. Can I enforce/require the presence of a signature?