Signed Response with Encrypted Assertion sign-then-encrypt



1 comment

  • Avatar
    Sixto Garcia

    OneLogin follows the standard, and the SAML standard says:

    If you need to build a Signed Response with Signed & Encrypted Assertion then:

    1. Sign Assertion
    2. Encrypt the Assertion
    3. Sign the whole Message of the SAMLResponse

    In order to validate it, you may valdate 1st the signature of the original SAMLResponse, then decrypt the Assertion and validate the signature of the assertion.

    Comment actions Permalink

Please sign in to leave a comment.