Is Response signature required in SAML Web SSO profile?

Question

Context: I'm working on a SAML Service Provider implementation. We're implementing SAML Web SSO profile with HTTP-Redirect binding for generating AuthnRequests and HTTP-Post binding for accepting SamlResponses (a typical setup used by popular products like Dropbox for Business). Our SP endpoints are going to be publicly accessible to anyone on the net, our assertion consumer service URL is HTTPS.

SAML specification is pretty clear about signing Assertions within SamlResponse message: it's mandatory. However, SAML spec is NOT clear about signing the enclosing Response element of the SamlResponse. It says it MAY be signed, and the signature MUST be validated when present. But then there's also this sentence:

When a response message containing an assertion is delivered to a relying party via a user's web browser (for example using the HTTP POST binding), then to ensure message integrity, it is mandated that the response message be digitally signed using XML Signature

Spring Security SAML library does NOT require this signature to be present. SSOCircle SAML test suite fails for implementations requiring it (SSOCircle uses SamlResponses without it in "positive" tests).

So, is it required in Web SSO profile, and why?

Answer 1

Take a look in this document: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, page 68. It says A digital signature is not always required in SAML. However in spring saml you can specify in securityContext you want a signed assertion/response. https://docs.spring.io/spring-security-saml/docs/current/reference/html/configuration-metadata.html#configuration-metadata-sp-generation