SAML authentication requires signature for either SAML Response or its Assertion, not both

[fairclothjm]

Hello! Thanks for the library!

In my testing, it appears as though this library requires a signature for either the SAML Response or its Assertion, but not both.

gosaml2/decode_response.go

Lines 272 to 304 in 8690358

	var responseSignatureValidated bool
	if !sp.SkipSignatureValidation {
	el, err = sp.validateElementSignature(el)
	if err == dsig.ErrMissingSignature {
	// Unfortunately we just blew away our Response
	el = doc.Root()
	} else if err != nil {
	return nil, err
	} else if el == nil {
	return nil, fmt.Errorf("missing transformed response")
	} else {
	responseSignatureValidated = true
	}
	}
	err = sp.decryptAssertions(el)
	if err != nil {
	return nil, err
	}
	var assertionSignaturesValidated bool
	if !sp.SkipSignatureValidation {
	err = sp.validateAssertionSignatures(el)
	if err == dsig.ErrMissingSignature {
	if !responseSignatureValidated {
	return nil, fmt.Errorf("response and/or assertions must be signed")
	}
	} else if err != nil {
	return nil, err
	} else {
	assertionSignaturesValidated = true
	}
	}

Would you accept a PR to enable requiring both Response and assertion to be signed? Thanks

[landron]

You can check them outside of the library by using ResponseSignatureValidated and SignatureValidated on each assertion, respectively.

[mitar]

My understanding is that standard (section 4.1.3.5) requires that assertions are signed (for HTTP POST binding).