4

In SAML, signing or encrypting the assertions seems to be essential, but I'm not finding much information describing any benefits or drawbacks of signing the authentication request in real world "practical" scenarios.

Security and Privacy Considerations forthe OASIS Security Assertion MarkupLanguage (SAML) section 5.2.1.2 talks about that it can prevent DOS attacks. but are there any other attacks that signed requests would prevent?
Are there any other benefits or drawbacks of using signed authentication requests from the SP?

AndOs
  • 141
  • 2

1 Answers1

3

Signed requests can help in the scenario where the Assertion Consumer Service URL requested after authentication can be to a variety of domains or URLs. To avoid being used as an open redirector, the IDP would generally validate based on a predefined list of valid URIs. This list would be obtained from the SP metadata or manually entered from a known list. But if the SP signs the authentication request, then the IDP has some assurance that the request is valid even if the URI is not in the predefined list.

explunit
  • 388
  • 1
  • 6