Skip to content

Commit 6dbd88a

Browse files
jzheauxjzheaux
committed
Remove WantAssertionsSigned
WantAssertionsSigned requires that asserting parties sign the assertions. This does not reflect how Spring Security actually behaves, creating behavior mismatches. Closes gh-10844
1 parent eca32b4 commit 6dbd88a

File tree

2 files changed

+2
-4
lines changed

2 files changed

+2
-4
lines changed

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolver.java

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,6 @@ public String resolve(RelyingPartyRegistration relyingPartyRegistration) {
8181
private SPSSODescriptor buildSpSsoDescriptor(RelyingPartyRegistration registration) {
8282
SPSSODescriptor spSsoDescriptor = build(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
8383
spSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
84-
spSsoDescriptor.setWantAssertionsSigned(true);
8584
spSsoDescriptor.getKeyDescriptors()
8685
.addAll(buildKeys(registration.getSigningX509Credentials(), UsageType.SIGNING));
8786
spSsoDescriptor.getKeyDescriptors()

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolverTests.java

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -37,8 +37,7 @@ public void resolveWhenRelyingPartyThenMetadataMatches() {
3737
OpenSamlMetadataResolver openSamlMetadataResolver = new OpenSamlMetadataResolver();
3838
String metadata = openSamlMetadataResolver.resolve(relyingPartyRegistration);
3939
assertThat(metadata).contains("<EntityDescriptor").contains("entityID=\"rp-entity-id\"")
40-
.contains("WantAssertionsSigned=\"true\"").contains("<md:KeyDescriptor use=\"signing\">")
41-
.contains("<md:KeyDescriptor use=\"encryption\">")
40+
.contains("<md:KeyDescriptor use=\"signing\">").contains("<md:KeyDescriptor use=\"encryption\">")
4241
.contains("<ds:X509Certificate>MIICgTCCAeoCCQCuVzyqFgMSyDANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBh")
4342
.contains("Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"")
4443
.contains("Location=\"https://rp.example.org/acs\" index=\"1\"")
@@ -54,7 +53,7 @@ public void resolveWhenRelyingPartyNoCredentialsThenMetadataMatches() {
5453
OpenSamlMetadataResolver openSamlMetadataResolver = new OpenSamlMetadataResolver();
5554
String metadata = openSamlMetadataResolver.resolve(relyingPartyRegistration);
5655
assertThat(metadata).contains("<EntityDescriptor").contains("entityID=\"rp-entity-id\"")
57-
.contains("WantAssertionsSigned=\"true\"").doesNotContain("<md:KeyDescriptor use=\"signing\">")
56+
.doesNotContain("<md:KeyDescriptor use=\"signing\">")
5857
.doesNotContain("<md:KeyDescriptor use=\"encryption\">")
5958
.contains("Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"")
6059
.contains("Location=\"https://rp.example.org/acs\" index=\"1\"")

0 commit comments

Comments
 (0)