Thomas
Thomas20h ago

SAML Application complains about assertions are not signed

Hi, Use-case: I try to onboard an SAML Application, after exchanging metadata, login fails Environment: Self Hosting Version: v2.71.15 Stack: n/a What you expected to happen: Login to application should work What went wrong: SP Reports Assertion is not signed: Errorlog from Application "Invalid SAML SSO assertion: The Message of the Response is not signed and the SP requires it" In the metadata from the SP the Descriptor is <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" looks like same problem as in https://github.com/zitadel/zitadel/discussions/9049 i'm using an action to add an SAML Attribute. maybe this breaks the Assertion Signing Any hints are very welcome. Thanks Thomas
GitHub
How to set up a SAML application to work with Databricks workspace ...
I am trying to set up a Databricks workspace with Zitadel as the IDP, as described here: https://docs.databricks.com/en/archive/single-sign-on/index.html#verify-that-the-saml-response-is-signed I c...
1 Reply
Ask Inkeep
Ask Inkeep20h ago
Hi @Thomas, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer ZITADEL signs the SAML assertion in its response, which matches what your Service Provider (SP) requires when the SP metadata includes WantAssertionsSigned="true" (1) . There is no indication in the documentation that you need to take extra steps to enable assertion signing—this should be handled automatically by ZITADEL . If your SP still reports that the assertion is not signed, it may be worth double-checking the SAML configuration on both sides for mismatches or errors. Additionally, there have been discussions about signing not just the assertion but also the SAML response document itself; ZITADEL typically signs only the assertion in its SAML response (2) . If your SP expects both the assertion and the response to be signed, you may encounter issues unless additional configuration or code changes are made . For further details, see: - Authenticate users with SAML - SAML2: Signing the documents, in addition to the assertion ​ To learn more, see the sources I considered: [1] Authenticate users with SAML [2] SAML2: Signing the documents, in addition to the assertion ​ Feel free to tag @Ask Inkeep with additional questions.

Did you find this page helpful?