Digital+Signing+of+SAML+Element

Click here for background on the proposed changes related Digital Signatures.


 * Description of Area to Address:** Need to determine if there is a requirement defined by WS-I to digitally sign the SAML element

//input from Tom Davidson (5/6/2010):// The following is an excerpt from the SAML 2.0 Core specification, Section 5.0. This is the section I was referring to which indicated that is RECOMMENDED to sign the SAML assertion, but it doesn't say it is REQUIRED.

Many different techniques are available for "direct" authentication and secure channel establishment between two parties. The list includes TLS/SSL (see [RFC 2246]/[SSL3]), HMAC, password-based mechanisms, and so on. In addition, the applicable security requirements depend on the communicating applications and the nature of the assertion or message transported. It is RECOMMENDED that, in all other contexts, digital signatures be used for assertions and request and response messages. Specifically: party SHOULD be signed by the SAML asserting party. SHOULD be signed by the sender. contain SAML documents. Caveats about retaining context and interoperability apply. XML Signatures are intended to be the primary SAML signature mechanism, but this specification attempts to ensure compatibility with profiles that may require other mechanisms. enveloped.
 * A SAML assertion obtained by a SAML relying party from an entity other than the SAML asserting
 * A SAML protocol message arriving at a destination from an entity other than the originating sender
 * Profiles MAY specify alternative signature mechanisms such as S/MIME or signed Java objects that
 * Unless a profile specifies an alternative signature mechanism, any XML Digital Signatures MUST be