I have integrated Spring SAML into my application and while testing different configuration sets, I was validating whether an Assertion inherits the signature from a signed, enclosing Response. Basically, I want to know if only signing the Response object and not the Assertion satisfies the SP "wantsAssertionsSigned" declaration.
According to the spec (well my best reading of the spec), the Assertion should inherit the signature from Response if it is not signed (from http://docs.oasis-open.org/security/...ore-2.0-os.pdf):
So from my understanding, a Response object that contains a valid Signature and an unsigned Assertion should satisfy the wantsAssertionsSigned property and allow successful validation of the message. The Spring extension seems to only validate Response signatures if they exist (and sets context.setInboundSAMLMessageAuthenticated(true)), but when checking the Assertion signature, never refers back to the context to see if the message has been authenticated already, thereby not inheriting.A SAML assertion may be embedded within another SAML element, such as an enclosing <Assertion>
or a request or response, which may be signed. When a SAML assertion does not contain a <ds:Signature> element, but is contained in an enclosing SAML element that contains a <ds:Signature> element, and the signature applies to the <Assertion> element and all its children, then the assertion can be considered to inherit the signature from the enclosing element. The resulting interpretation should be equivalent to the case where the assertion itself was signed with the same key and signature options.
Basically, I want to confirm my understanding and ask if there is any ideas for configuring the extension (or modifying it) such that my users can enforce message integrity at the Response level or the Assertion level or both.
I have sample messages from one customer who is currently only signing Responses and the only option for supporting this style right now is disabling wantsAssertionsSigned. This is obviously a huge whole since there is currently no option for requiring a Response signature and therefore the SP will just accept unsigned messages.
The two thoughts I had were to implement the signature inheritance or adding another configuration option or enforcing a Response signature, but I want to make sure I am not missing something.