Affects Version/s: 11.0.3, 12.0.0, 12.0.1, 12.0.2, 13.0.0
Sprint:AM Sustaining Sprint 13, AM Sustaining Sprint 14
Support Ticket IDs:
Steps to reproduce - on OpenAM version12.0.2:
1) Create a hosted IDP e.g idp.example.net and
2) Create a hosted SP e.g sp.example.com - register remote IDP
3) Register remote SP in same COT.
4) Select Post Response Signed in remote SP configuration on IDP server
On idp.example.net: Federation > Entity provider > sp.example.com (remote sp) > ensure "Post Response Signed:" is ticked.
5) Invoke spSSOInit with HTTP-POST binding e.g
SSO should succeed.
Sign on failed ( status 500 in browser)
If OpenAM SP config hasn't specified neither the "Post Response Signed" nor the "Assertions Signed" options, then SP requires signed Assertion for HTTP-POST binding regardless of whether the Response is signed.
It would be good to let IDP to decide which one it wants to use if SP doesn't restrict it with wantPostResponseSigned/wantAssertionsSigned options. Then SP can validate any signatures and check if at least one of the two is used (as SAML2 specification says).