Why do both the SAML response and assertion need to be signed?
search cancel

Why do both the SAML response and assertion need to be signed?


Article ID: 242249


Updated On:


CA Automic Workload Automation - Automation Engine CA Automic One Automation


Per the Automic Automation documentation, the SAML Response must be signed.

=> To ensure message integrity, it is recommended signing both, the SAML Response and the Assertion. However, at least the SAML Response must be signed. Signing only the Assertion leads to an access denied.


Release : 21.0.2, 12.3.x



Generally, the signing of the Assertion should be a must-have, not the signing of the SAML-Response.
The SAML-Response-signing usually is optional. 

Why is the signing of the SAML-response is mandatory and not the Assertion?



The SAML protocol is generally flexible and allows a lot of configurations or special settings. It is also not forbidden to require signing the SAML Response, although it is not usual practice.

At the time of the introduction it was decided to use this, and that's why it was also documented, as most IDPs also have this as a configurable option (Sign Assertion, Response or both).

As part of the ongoing story to improve the SAML capabilities/configuration, the option to configure what to have signed (Assertion, Response or both) was also included and will be reviewed by Product Management and Development.