When a user logs in via EngineBlock, an IdP sends back a SAML response containing the user's identity. That response can be encrypted and signed.
Signing can happen in two places:
- On the outer envelope, the whole response message
- On the inner assertion, just the user identity claim inside
Currently, an old feature flag/parameter and a skipped test exist in the code: eb.encrypted_assertions_require_outer_signature
What it does: "If a response arrives with encryption AND no outer signature, should EngineBlock reject it?"
- true, default: reject it, require an outer signature
- false: accept it, trust the inner assertion signature instead
History
- 2016 The flag was implemented: 7f6ab9908
- 2018 How EngineBlock processes SAML messages was refactored. In that refactor, the flag was removed from the code, because "the underlying library does not support it". But it was not removed from the config. 6f858ec76
- 2026: The flag exists in config, defaults to true, but the code never reads it, the feature is broken. Setting it to false has no effect.
We should either implement support for this feature flag again or remove the feature flag.
When a user logs in via EngineBlock, an IdP sends back a SAML response containing the user's identity. That response can be encrypted and signed.
Signing can happen in two places:
Currently, an old feature flag/parameter and a skipped test exist in the code:
eb.encrypted_assertions_require_outer_signatureWhat it does: "If a response arrives with encryption AND no outer signature, should EngineBlock reject it?"
History
We should either implement support for this feature flag again or remove the feature flag.