Cannot sign the assertion

Question

Cannot sign the assertion

GreenGremlin opened this issue 6 years ago · 4 comments

According to SAML spec, the SAML response should always be signed and the SAML assertion can optionally be signed. samlp.auth currently only allows for the response to be signed, and it defaults to not signing it.

Desired behavior

The response should always be signed, and there should be an option added signAssertion to sign the assertion as well.

samlp.auth({
    ...,
    signAssertion: true,
});

The above code should result in a SAML response with both a signed response and a signed assertion. The signResponse option should default to true and signAssertion should default to false.

Answer 1 · 2018-06-20T08:22:19.000Z

Digging deeper, I believe this is actually a bug in the xml-crypto package. This package always signs the assertion, but when signResponse is set to true, xml-crypto's enveloped transform is removing the assertions signature when calculating the signature for the response.

Answer 2 · 2018-09-10T08:33:03.000Z

I've fixed the xml-crypto bug and released 1.0.0 of xml-crypto, and will send in a PR

Answer 3 · 2018-11-01T18:18:31.000Z

Any plans to support asymmetric assertion encryption?

Answer 4 · 2020-10-22T11:26:27.000Z

samlp@4.0.0 adds a signAssertion option in addition to the already available signResponse.

Fixed by #104