Skip to content

Verify SAML Response OK, but cannot verify SAML Assertion by location #280

New issue
New issue
Open
Open
Verify SAML Response OK, but cannot verify SAML Assertion by location#280
@nipil

Description

@nipil
nipil
opened on Nov 8, 2025

I am validating a SAML Response without problem, but i do not succeed validating Asssertion signature.

Here is the sample doc (only relevant lines)

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_d836fa89-0881-40fd-a507-ceb8616ba1bd" ... >
  ...
  <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
      <dsig:Reference URI="#ID_d836fa89-0881-40fd-a507-ceb8616ba1bd">
  ...
  <saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_3e88353e-f7d6-49de-a9d5-cc3c65320ce9" ...>
    ...
    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        ...
        <dsig:Reference URI="#ID_3e88353e-f7d6-49de-a9d5-cc3c65320ce9">
        ...
  </saml:Assertion>
</samlp:Response>

I validate the Response itself successfuly, finding the top-most signature, using this code :

loc = "./"
config = SignatureConfiguration(location=loc)
XMLVerifier().verify(xml_bytes, x509_cert=idp_cert, expect_config=config)
# does not throw any exception and returns a VerifyResult

Then i am trying to validate the SAML Assertions, which too, might contain a Signature, using :

# i tried all of these :
# loc = "./{urn:oasis:names:tc:SAML:2.0:protocol}Response"
# loc = "./{urn:oasis:names:tc:SAML:2.0:protocol}Response/{urn:oasis:names:tc:SAML:2.0:assertion}Assertion"
# loc = "./{urn:oasis:names:tc:SAML:2.0:protocol}Response/{urn:oasis:names:tc:SAML:2.0:assertion}Assertion/{http://www.w3.org/2000/09/xmldsig#}Signature"
config = SignatureConfiguration(location=loc)
XMLVerifier().verify(xml_bytes, x509_cert=idp_cert, expect_config=config)

Every location i tried raised the following exception :

signxml.exceptions.InvalidInput: Expected to find XML element Signature in {urn:oasis:names:tc:SAML:2.0:protocol}Response

Which might indicate it is ignoring (or not accepting ?) the specified location.

As the Assertions are part of the Response and the response signature is validating, i guess that the Assertion are signed anyway and a dedicated Assertion signature is kind of redundant, so i could ignore its verification. Am i correct or is there any real benefit in verifying only the assertions ?

Any idea how to fix this exception ? (as i still want to succeed even if the supposition above is correct)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions