Signature of <saml2p:Response> instead of <saml2:Assertion>

Feb 28, 2014 at 1:27 PM
When the IdP answer with a response that is signed globally - this means including the assertion that is part of the response - instead of containing an assertion that is itself signed the answer is refused because the assertion isn't signed.

This response and the included assertion should be considered as valid in such scenario. For example ADFS accept that kind of responses.

It is obviously critical to confirm that the assertion is effectively part of the content being signed to prevent XML signature wrapping attacks.
Mar 11, 2014 at 3:56 PM
Indeed, it appears there is allowance in the specification for signature inheritance... I'll need to look into this more in a future version, as it is non-trivial to implement.