SAML2: Signing the documents, in addition to the assertion
Use-case
SSO solution for most things
Environment
Self-hosted
Version
Current latest version.
Stack
AWS EKS
Question
We want to integrate the AWS Client VPN with Zitadel via SAML2 as the SSO solution to login to the VPN. However, as described in the AWS docs: "The SAML assertion and SAML documents must be signed." โ and Zitadel only delivers a signed assertion in its response.
We've been trying to find an option for Zitadel to sign also the SAML documents to match this requirement, but as far as we can see there is no support for this. We found this code that's been commented out in the source code, was the purpose of it to support this maybe?
Is it possible to make Zitadel sign also the SAML documents? If not, is this feature on the roadmap?
Single sign-on โ SAML 2.0-based federated authentication โ in C...
Learn how single sign-on (SAML 2.0-based federated authentication) works in Client VPN.
GitHub
saml/pkg/provider/signature/signature.go at main ยท zitadel/saml
A SAML 2.0 server (IdP) implementation written for Go - zitadel/saml
2 Replies
Hey there @Travis, I'm looking into this and will report back what I find. Thanks for the context in the write up by the way!
Thanks @Jim Morrison, we tried to get this fixed and the following PR solves our issue: https://github.com/zitadel/saml/pull/102
I'm not read up on your contribution guidelines etc, but I'd be happy to make updates to the PR to get it merged. Or, if someone on your team wants to take it over and incorporate it as-is or maybe with a config option or similar.
At least, with these changes we can now successfully use Zitadel as SSO for the AWS Client VPN ๐