Required signature on a SAML assertion | ansaurus

tags:

saml

views:

40

answers:

1

Q:

Required signature on a SAML assertion

Is it required to sign a SAML token? It looks like the signature element is not required according to the schema.

In lieu of signing the SAML token, we would require client certificates (two-way SSL) to verify that the consumer is a trusted consumer. Is this a viable option?

A:

It depends on what Binding you are using and what your use case is. If you are talking about the Artifact Resolution Protocol, the SOAP binding does not require a signed SAML Response for example. However, the HTTP Post Binding (Web SSO Profile) always requires a signature.

Mutual TLS Authentication is allowed for the SOAP Binding but it not practical at all for the Web SSO Profile.

So, it really depends on what your use case is as each Profile/Binding has its own requirements.

Hope this helps - Ian

Ian 2010-07-15 13:01:09

This does help a lot. Do you know if the Assertion Query and Request Protocol requires a signature?

red tiger 2010-07-15 14:59:01

I don't believe so since this must be done via SAML SOAP 1.1 Binding. However, I am not that familiar with the Assertion Query/Request Profile to be 100% sure.

Ian 2010-07-29 14:23:58

related questions

SAML 2.0 SSO and ASP.Net

SAML assertion with username/password - what do the messages really look like?

Can you recommend a SAML 2.0 Identity Provider for test?

Anyone using Spring-ws with SAML authentication?

How do I configure WebLogic 10.3 Web App To Use SAML 2 SSO and Identity Provider?

Use gmail domain account with IMAP authentication with SAML authentication not working...

SAML Assertion consumer Service (ACS) - Suggestions on implementation

Convenient applications for Browser/POST and Browser/Artifact SAML profiles

Designing an XACML API

What is SAML?

How to implement SAML SSO

WCF Interop with Axis2 using WS-Trust

Are attributes allowed in a SAML authentication request?

Why is using a certificate, made with the MakeCert tool, in production bad?

Implementing SSO using different versions of SAML

Need info on SAML 2.0

Signing XML with Public Key Example?

Identity provider implementation of opensaml 2.0

Do we absolutely need a STS for SAML?

SAML identity provider as Java servlet filter?

Looking for feedback on a first SAML implementation.

SAML Assertion WriteXML issue in C#

SAML with .NET 2.0

Implementing Claims-Based Security (WCF/Asp.NET)

How do I deserialize a SAML assertion in Rampart/C (Axis2/C)?