Validate asserting party metadata signature

[palakova]

Various elements in metadata can be digitally signed. Although signatures are optional, according to SAML specification, section 4.3.3.2 Processing Signed Documents and Fragments, "Metadata consumers MUST validate signatures, when present."

Expected Behavior Similar as the previous Spring Security SAML Extension implementation: Enable to submit a collection of public keys via configuration (e.g. as a part of RelyingPartyRegistration) and verify signature(s) in IdP metadata using PKIX algorithm and using the provided public keys as trust anchors.

Current Behavior I believe metadata signature is not verified. I did not find any way to enable this behaviour.

Context Adding metadata signature increases security and conforms to SAML 2.0 specification. As an example, Azure AD signs the root <EntityDescriptor> element of it's metadata.

[jzheaux]

I think this sounds reasonable, though it would likely involve making OpenSamlAssertingPartyDetailsConverter public and polishing it accordingly.

It might change to something like OpenSamlAssertingPartyDetailsDecoder (similar to NimbusJwtDecoder) and may get an interface like AssertingPartyDetailsDecoder. The implementation would take the keys as part of its construction.

[sumeetpri]

Hi @jzheaux @sjohnr , metadata consumer must validate signature when presented . Is there any option to add signature?