spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

SAML 2.0 Documentation should talk about decrypting unsigned SAML 2.0 responses

Open jzheaux opened this issue 4 years ago • 1 comments

In 5.5, a change was made to disallow decryption unless the SAML 2.0 response is signed. Since this is a breaking change, we should have some documentation that shows how to restore the previous behavior to simplify upgrading to the latest.

jzheaux avatar Aug 20 '21 16:08 jzheaux

@jzheaux I also stumbled over this issue after updating spring security.

I have read the related the tickets and comments, but it's still not completely clear to me.

Did I understand correctly that if I use encrypted assertions, the response needs to be signed? It is not enough to sign the assertion? Because that is the Azure AD Default, which is now not working anymore.

Azure AD has the following options:

  1. Sign SAML assertion (default)
  2. Sign SAML response
  3. Sign SAML response and assertion

dawi avatar Dec 16 '21 17:12 dawi