SAML Application complains about assertions are not signed
Hi,
Use-case: I try to onboard an SAML Application, after exchanging metadata, login fails
Environment: Self Hosting
Version: v2.71.15
Stack: n/a
What you expected to happen: Login to application should work
What went wrong: SP Reports Assertion is not signed:
Errorlog from Application "Invalid SAML SSO assertion: The Message of the Response is not signed and the SP requires it"
In the metadata from the SP the Descriptor is
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"
looks like same problem as in https://github.com/zitadel/zitadel/discussions/9049
i'm using an action to add an SAML Attribute. maybe this breaks the Assertion Signing
Any hints are very welcome.
Thanks
ThomasGitHub
How to set up a SAML application to work with Databricks workspace ...
I am trying to set up a Databricks workspace with Zitadel as the IDP, as described here: https://docs.databricks.com/en/archive/single-sign-on/index.html#verify-that-the-saml-response-is-signed I c...
3 Replies
Hi @Thomas, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
ZITADEL signs the SAML assertion in its response, which matches what your Service Provider (SP) requires when the SP metadata includes
WantAssertionsSigned="true" (1) . There is no indication in the documentation that you need to take extra steps to enable assertion signing—this should be handled automatically by ZITADEL .
If your SP still reports that the assertion is not signed, it may be worth double-checking the SAML configuration on both sides for mismatches or errors. Additionally, there have been discussions about signing not just the assertion but also the SAML response document itself; ZITADEL typically signs only the assertion in its SAML response (2) . If your SP expects both the assertion and the response to be signed, you may encounter issues unless additional configuration or code changes are made .
For further details, see:
- Authenticate users with SAML
- SAML2: Signing the documents, in addition to the assertion
To learn more, see the sources I considered:
[1] Authenticate users with SAML
[2] SAML2: Signing the documents, in addition to the assertion
Feel free to tag @Ask Inkeep with additional questions.I can confirm that the full message has to be signed. After i applied the the patch from the pullrequest my application is working fine.
Are there any plans to integrate the patch?
hey @Thomas thnaks for pointing this out, is it possible for you to open a PR or atleast file a bug, we need to track it somehow 🙂