search cancel

Why do both the SAML response and assertion need to be signed?

book

Article ID: 242249

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic One Automation

Issue/Introduction

Per the Automic Automation documentation, the SAML Response must be signed.

=> To ensure message integrity, it is recommended signing both, the SAML Response and the Assertion. However, at least the SAML Response must be signed. Signing only the Assertion leads to an access denied.

Environment

Release : 21.0.2, 12.3.x

Component : AUTOMATION ENGINE

Cause

Generally, the signing of the Assertion should be a must-have, not the signing of the SAML-Response.
The SAML-Response-signing usually is optional. 

Why is the signing of the SAML-response is mandatory and not the Assertion?

 

Resolution

The SAML protocol is generally flexible and allows a lot of configurations or special settings. It is also not forbidden to require signing the SAML Response, although it is not usual practice.

At the time of the introduction it was decided to use this, and that's why it was also documented, as most IDPs also have this as a configurable option (Sign Assertion, Response or both).

As part of the ongoing story to improve the SAML capabilities/configuration, the option to configure what to have signed (Assertion, Response or both) was also included and will be reviewed by Product Management and Development.