This is probably not obvious to most users but if the HTTP POST binding is used to deliver the Response, the enclosed assertions must be signed
This is stated in the following links
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html
SAML Version 2.0 Errata 05
For example
New at Section 4.1.4.5, lines 600-601
If the HTTP POST binding is used to deliver the , each assertion MUST be protected by a digital signature. This can be accomplished by signing each individual element or by signing the element.
3 Likes
Hey Sam,
Thanks so much for sharing this valuable tip with the community. Your insight about the need to sign enclosed assertions when using the HTTP POST binding, which can be easily overlooked, is a crucial detail.
The provided links and example clarify the process, and your proactive approach to sharing such details is greatly appreciated! 
This is probably not obvious to most users but if the HTTP POST binding is used to deliver the Response, the enclosed assertions must be signed
This is stated in the following links
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html
SAML Version 2.0 Errata 05
For example
New at Section 4.1.4.5, lines 600-601
If the HTTP POST binding is used to deliver the , each assertion MUST be protected by a digital signature. This can be accomplished by signing each individual element or by signing the element.
1 Like