Forums, Documentation & Knowledge Base - ComponentSpace

SAML Assertion Signature Validation


http://componentspace.com/Forums/Topic9987.aspx

By tomha - 5/28/2019

Snippet
We recently had a penetration test performed on our site. There was a vulnerability reported in that a SAML Assertion was valid if the Signature block is removed. I would have assumed that the ISamlServiceProvider ReceiveSsoAsync would validate a SAML Response. Can you recommend an approach where I can validate if the Response contains the Signature block?
By ComponentSpace - 5/29/2019

Thanks for the update.
These flags are defined in our Configuration Guide.
WantAssertionOrResponseSigned requires either the SAML assertion or SAML response to be signed and successfully verified. If neither is signed or verifies we throw an exception. This flag defaults to true as this is the most common use case.
However, if required you can explicitly specify you want the SAML response or SAML assertion signed using the WantSAMLResponseSIgned and WantAssertionSigned flags.