Cannot sign the assertion

[GreenGremlin]

According to SAML spec, the SAML response should always be signed and the SAML assertion can optionally be signed. samlp.auth currently only allows for the response to be signed, and it defaults to not signing it.

Desired behavior

The response should always be signed, and there should be an option added signAssertion to sign the assertion as well.

samlp.auth({
    ...,
    signAssertion: true,
});

The above code should result in a SAML response with both a signed response and a signed assertion. The signResponse option should default to true and signAssertion should default to false.

[GreenGremlin]

Digging deeper, I believe this is actually a bug in the xml-crypto package. This package always signs the assertion, but when signResponse is set to true, xml-crypto's enveloped transform is removing the assertions signature when calculating the signature for the response.

[LoneRifle]

I've fixed the xml-crypto bug and released 1.0.0 of xml-crypto, and will send in a PR

[mgloystein]

Any plans to support asymmetric assertion encryption?

[luuuis]

samlp@4.0.0 adds a signAssertion option in addition to the already available signResponse.

Fixed by #104