SAML 2.0 Documentation should talk about decrypting unsigned SAML 2.0 responses

spring-projects / spring-security

Spring Security

http://spring.io/projects/spring-security

Apache License 2.0

8.55k stars 5.8k forks source link

SAML 2.0 Documentation should talk about decrypting unsigned SAML 2.0 responses #10219

Open jzheaux opened 2 years ago

jzheaux commented 2 years ago

In 5.5, a change was made to disallow decryption unless the SAML 2.0 response is signed. Since this is a breaking change, we should have some documentation that shows how to restore the previous behavior to simplify upgrading to the latest.

dawi commented 2 years ago

@jzheaux I also stumbled over this issue after updating spring security.

I have read the related the tickets and comments, but it's still not completely clear to me.

Did I understand correctly that if I use encrypted assertions, the response needs to be signed? It is not enough to sign the assertion? Because that is the Azure AD Default, which is now not working anymore.

Azure AD has the following options:

Sign SAML assertion (default)
Sign SAML response
Sign SAML response and assertion