From 60f954a497687be15c27cfae172723c95e6b604e Mon Sep 17 00:00:00 2001
From: Pedro Igor <pedroigor@gmail.com>
Date: Thu, 26 May 2016 10:48:30 -0300
Subject: [PATCH] [KEYCLOAK-2894] - Fixing saml signature validation

---
 .../subsystem/saml/as7/Constants.java         |   2 +
 .../saml/as7/SingleSignOnDefinition.java      |   7 +-
 .../saml/as7/LocalDescriptions.properties     |   1 +
 .../schema/wildfly-keycloak-saml_1_1.xsd      |   5 ++
 .../subsystem/saml/as7/keycloak-saml-1.1.xml  |   1 +
 .../adapters/saml/DefaultSamlDeployment.java  |  10 +++
 .../adapters/saml/SamlDeployment.java         |   1 +
 .../keycloak/adapters/saml/config/IDP.java    |   9 +++
 .../config/parsers/ConfigXmlConstants.java    |   1 +
 .../config/parsers/DeploymentBuilder.java     |   1 +
 .../saml/config/parsers/IDPXmlParser.java     |   1 +
 .../AbstractSamlAuthenticationHandler.java    |  31 ++++++++-
 .../schema/keycloak_saml_adapter_1_6.xsd      |   1 +
 .../adapter/saml/extension/Constants.java     |   2 +
 .../extension/SingleSignOnDefinition.java     |   7 +-
 .../extension/LocalDescriptions.properties    |   1 +
 .../schema/wildfly-keycloak-saml_1_1.xsd      |   5 ++
 .../saml/extension/keycloak-saml-1.1-err.xml  |   1 +
 .../saml/extension/keycloak-saml-1.1.xml      |   1 +
 .../core/util/XMLSignatureUtil.java           |   3 +-
 .../KeycloakSamlClientInstallation.java       |   1 +
 .../keycloaksaml/SamlAdapterTest.java         |  18 +++++
 .../keycloaksaml/SamlAdapterTestStrategy.java |  36 ++++++++++
 .../WEB-INF/keycloak-saml.xml                 |  62 ++++++++++++++++++
 .../WEB-INF/keystore.jks                      | Bin 0 -> 1715 bytes
 .../WEB-INF/keycloak-saml.xml                 |  60 +++++++++++++++++
 .../WEB-INF/keystore.jks                      | Bin 0 -> 1705 bytes
 .../WEB-INF/keycloak-saml.xml                 |  60 +++++++++++++++++
 .../WEB-INF/keystore.jks                      | Bin 0 -> 1705 bytes
 .../resources/keycloak-saml/testsaml.json     |  62 ++++++++++++++++++
 30 files changed, 384 insertions(+), 6 deletions(-)
 create mode 100755 testsuite/integration/src/test/resources/keycloak-saml/bad-assertion-signed-post/WEB-INF/keycloak-saml.xml
 create mode 100755 testsuite/integration/src/test/resources/keycloak-saml/bad-assertion-signed-post/WEB-INF/keystore.jks
 create mode 100755 testsuite/integration/src/test/resources/keycloak-saml/missing-assertion-sig/WEB-INF/keycloak-saml.xml
 create mode 100755 testsuite/integration/src/test/resources/keycloak-saml/missing-assertion-sig/WEB-INF/keystore.jks
 create mode 100755 testsuite/integration/src/test/resources/keycloak-saml/sales-post-assertion-and-response-sig/WEB-INF/keycloak-saml.xml
 create mode 100755 testsuite/integration/src/test/resources/keycloak-saml/sales-post-assertion-and-response-sig/WEB-INF/keystore.jks

diff --git a/adapters/saml/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/Constants.java b/adapters/saml/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/Constants.java
index 81c697a237..7d30f7f089 100755
--- a/adapters/saml/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/Constants.java
+++ b/adapters/saml/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/Constants.java
@@ -45,6 +45,7 @@ public class Constants {
         static final String KEY_STORE = "KeyStore";
         static final String SIGN_REQUEST = "signRequest";
         static final String VALIDATE_RESPONSE_SIGNATURE = "validateResponseSignature";
+        static final String VALIDATE_ASSERTION_SIGNATURE = "validateAssertionSignature";
         static final String REQUEST_BINDING = "requestBinding";
         static final String BINDING_URL = "bindingUrl";
         static final String VALIDATE_REQUEST_SIGNATURE = "validateRequestSignature";
@@ -97,6 +98,7 @@ public class Constants {
         static final String CERTIFICATE_ALIAS = "alias";
         static final String SIGN_REQUEST = "signRequest";
         static final String VALIDATE_RESPONSE_SIGNATURE = "validateResponseSignature";
+        static final String VALIDATE_ASSERTION_SIGNATURE = "validateAssertionSignature";
         static final String REQUEST_BINDING = "requestBinding";
         static final String BINDING_URL = "bindingUrl";
         static final String VALIDATE_REQUEST_SIGNATURE = "validateRequestSignature";
diff --git a/adapters/saml/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/SingleSignOnDefinition.java b/adapters/saml/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/SingleSignOnDefinition.java
index 9f7732a0f9..61c55d8e24 100644
--- a/adapters/saml/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/SingleSignOnDefinition.java
+++ b/adapters/saml/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/SingleSignOnDefinition.java
@@ -37,6 +37,11 @@ abstract class SingleSignOnDefinition {
                     .setXmlName(Constants.XML.VALIDATE_RESPONSE_SIGNATURE)
                     .build();
 
+    static final SimpleAttributeDefinition VALIDATE_ASSERTION_SIGNATURE =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.VALIDATE_ASSERTION_SIGNATURE, ModelType.BOOLEAN, true)
+                    .setXmlName(Constants.XML.VALIDATE_ASSERTION_SIGNATURE)
+                    .build();
+
     static final SimpleAttributeDefinition REQUEST_BINDING =
             new SimpleAttributeDefinitionBuilder(Constants.Model.REQUEST_BINDING, ModelType.STRING, true)
                     .setXmlName(Constants.XML.REQUEST_BINDING)
@@ -52,7 +57,7 @@ abstract class SingleSignOnDefinition {
                     .setXmlName(Constants.XML.BINDING_URL)
                     .build();
 
-    static final SimpleAttributeDefinition[] ATTRIBUTES = {SIGN_REQUEST, VALIDATE_RESPONSE_SIGNATURE, REQUEST_BINDING, RESPONSE_BINDING, BINDING_URL};
+    static final SimpleAttributeDefinition[] ATTRIBUTES = {SIGN_REQUEST, VALIDATE_RESPONSE_SIGNATURE, VALIDATE_ASSERTION_SIGNATURE, REQUEST_BINDING, RESPONSE_BINDING, BINDING_URL};
 
     static final HashMap<String, SimpleAttributeDefinition> ATTRIBUTE_MAP = new HashMap<>();
 
diff --git a/adapters/saml/as7-eap6/subsystem/src/main/resources/org/keycloak/subsystem/saml/as7/LocalDescriptions.properties b/adapters/saml/as7-eap6/subsystem/src/main/resources/org/keycloak/subsystem/saml/as7/LocalDescriptions.properties
index 6add1e428f..819623516d 100755
--- a/adapters/saml/as7-eap6/subsystem/src/main/resources/org/keycloak/subsystem/saml/as7/LocalDescriptions.properties
+++ b/adapters/saml/as7-eap6/subsystem/src/main/resources/org/keycloak/subsystem/saml/as7/LocalDescriptions.properties
@@ -67,6 +67,7 @@ keycloak-saml.IDP.signatureCanonicalizationMethod=Signature canonicalization met
 keycloak-saml.IDP.SingleSignOnService=Single sign-on configuration
 keycloak-saml.IDP.SingleSignOnService.signRequest=Sign SSO requests
 keycloak-saml.IDP.SingleSignOnService.validateResponseSignature=Validate an SSO response signature
+keycloak-saml.IDP.SingleSignOnService.validateAssertionSignature=Validate an SSO assertion signature
 keycloak-saml.IDP.SingleSignOnService.requestBinding=HTTP method to use for requests
 keycloak-saml.IDP.SingleSignOnService.responseBinding=HTTP method to use for responses
 keycloak-saml.IDP.SingleSignOnService.bindingUrl=SSO endpoint URL
diff --git a/adapters/saml/as7-eap6/subsystem/src/main/resources/schema/wildfly-keycloak-saml_1_1.xsd b/adapters/saml/as7-eap6/subsystem/src/main/resources/schema/wildfly-keycloak-saml_1_1.xsd
index fb893dd155..0494a1e2d5 100755
--- a/adapters/saml/as7-eap6/subsystem/src/main/resources/schema/wildfly-keycloak-saml_1_1.xsd
+++ b/adapters/saml/as7-eap6/subsystem/src/main/resources/schema/wildfly-keycloak-saml_1_1.xsd
@@ -132,6 +132,11 @@
                 <xs:documentation>Validate the SSO response signature</xs:documentation>
             </xs:annotation>
         </xs:attribute>
+        <xs:attribute name="validateAssertionSignature" type="xs:boolean" use="optional">
+            <xs:annotation>
+                <xs:documentation>Validate the SSO assertion signature</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
         <xs:attribute name="requestBinding" type="xs:string" use="optional">
             <xs:annotation>
                 <xs:documentation>HTTP method to use for requests</xs:documentation>
diff --git a/adapters/saml/as7-eap6/subsystem/src/test/resources/org/keycloak/subsystem/saml/as7/keycloak-saml-1.1.xml b/adapters/saml/as7-eap6/subsystem/src/test/resources/org/keycloak/subsystem/saml/as7/keycloak-saml-1.1.xml
index 31ed63089d..2380642fc5 100644
--- a/adapters/saml/as7-eap6/subsystem/src/test/resources/org/keycloak/subsystem/saml/as7/keycloak-saml-1.1.xml
+++ b/adapters/saml/as7-eap6/subsystem/src/test/resources/org/keycloak/subsystem/saml/as7/keycloak-saml-1.1.xml
@@ -42,6 +42,7 @@
             <IDP entityID="idp">
                 <SingleSignOnService signRequest="true"
                                      validateResponseSignature="true"
+                                     validateAssertionSignature="true"
                                      requestBinding="POST"
                                      bindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"/>
                 <SingleLogoutService
diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/DefaultSamlDeployment.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/DefaultSamlDeployment.java
index 4d55f38573..9e12f48e16 100755
--- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/DefaultSamlDeployment.java
+++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/DefaultSamlDeployment.java
@@ -34,6 +34,7 @@ public class DefaultSamlDeployment implements SamlDeployment {
     public static class DefaultSingleSignOnService implements IDP.SingleSignOnService {
         private boolean signRequest;
         private boolean validateResponseSignature;
+        private boolean validateAssertionSignature;
         private Binding requestBinding;
         private Binding responseBinding;
         private String requestBindingUrl;
@@ -48,6 +49,11 @@ public class DefaultSamlDeployment implements SamlDeployment {
             return validateResponseSignature;
         }
 
+        @Override
+        public boolean validateAssertionSignature() {
+            return validateAssertionSignature;
+        }
+
         @Override
         public Binding getRequestBinding() {
             return requestBinding;
@@ -71,6 +77,10 @@ public class DefaultSamlDeployment implements SamlDeployment {
             this.validateResponseSignature = validateResponseSignature;
         }
 
+        public void setValidateAssertionSignature(boolean validateAssertionSignature) {
+            this.validateAssertionSignature = validateAssertionSignature;
+        }
+
         public void setRequestBinding(Binding requestBinding) {
             this.requestBinding = requestBinding;
         }
diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/SamlDeployment.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/SamlDeployment.java
index 5f60f3433e..0b82ff24cd 100755
--- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/SamlDeployment.java
+++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/SamlDeployment.java
@@ -50,6 +50,7 @@ public interface SamlDeployment {
         public interface SingleSignOnService {
             boolean signRequest();
             boolean validateResponseSignature();
+            boolean validateAssertionSignature();
             Binding getRequestBinding();
             Binding getResponseBinding();
             String getRequestBindingUrl();
diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/IDP.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/IDP.java
index 73c14a2e42..7502e5d03f 100755
--- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/IDP.java
+++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/IDP.java
@@ -33,6 +33,7 @@ public class IDP implements Serializable {
         private String requestBinding;
         private String responseBinding;
         private String bindingUrl;
+        private boolean validateAssertionSignature;
 
         public boolean isSignRequest() {
             return signRequest;
@@ -50,6 +51,14 @@ public class IDP implements Serializable {
             this.validateResponseSignature = validateResponseSignature;
         }
 
+        public boolean isValidateAssertionSignature() {
+            return validateAssertionSignature;
+        }
+
+        public void setValidateAssertionSignature(boolean validateAssertionSignature) {
+            this.validateAssertionSignature = validateAssertionSignature;
+        }
+
         public String getRequestBinding() {
             return requestBinding;
         }
diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/ConfigXmlConstants.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/ConfigXmlConstants.java
index 8866203509..0085a6a27f 100755
--- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/ConfigXmlConstants.java
+++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/ConfigXmlConstants.java
@@ -68,6 +68,7 @@ public class ConfigXmlConstants {
     public static final String RESPONSE_BINDING_ATTR = "responseBinding";
     public static final String BINDING_URL_ATTR = "bindingUrl";
     public static final String VALIDATE_RESPONSE_SIGNATURE_ATTR = "validateResponseSignature";
+    public static final String VALIDATE_ASSERTION_SIGNATURE_ATTR = "validateAssertionSignature";
     public static final String VALIDATE_REQUEST_SIGNATURE_ATTR = "validateRequestSignature";
     public static final String POST_BINDING_URL_ATTR = "postBindingUrl";
     public static final String REDIRECT_BINDING_URL_ATTR = "redirectBindingUrl";
diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/DeploymentBuilder.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/DeploymentBuilder.java
index 356b79b6a1..e5a6ead98e 100755
--- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/DeploymentBuilder.java
+++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/DeploymentBuilder.java
@@ -149,6 +149,7 @@ public class DeploymentBuilder {
         }
         sso.setSignRequest(sp.getIdp().getSingleSignOnService().isSignRequest());
         sso.setValidateResponseSignature(sp.getIdp().getSingleSignOnService().isValidateResponseSignature());
+        sso.setValidateAssertionSignature(sp.getIdp().getSingleSignOnService().isValidateAssertionSignature());
 
         slo.setSignRequest(sp.getIdp().getSingleLogoutService().isSignRequest());
         slo.setSignResponse(sp.getIdp().getSingleLogoutService().isSignResponse());
diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/IDPXmlParser.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/IDPXmlParser.java
index b65f830b80..e649d1c259 100755
--- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/IDPXmlParser.java
+++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/IDPXmlParser.java
@@ -106,6 +106,7 @@ public class IDPXmlParser extends AbstractParser {
         StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
         sso.setSignRequest(SPXmlParser.getBooleanAttributeValue(element, ConfigXmlConstants.SIGN_REQUEST_ATTR, signaturesRequired));
         sso.setValidateResponseSignature(SPXmlParser.getBooleanAttributeValue(element, ConfigXmlConstants.VALIDATE_RESPONSE_SIGNATURE_ATTR, signaturesRequired));
+        sso.setValidateAssertionSignature(SPXmlParser.getBooleanAttributeValue(element, ConfigXmlConstants.VALIDATE_ASSERTION_SIGNATURE_ATTR));
         sso.setRequestBinding(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.REQUEST_BINDING_ATTR));
         sso.setResponseBinding(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.RESPONSE_BINDING_ATTR));
         sso.setBindingUrl(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.BINDING_URL_ATTR));
diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java
index 1c3766f71a..e9247b3bbe 100644
--- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java
+++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java
@@ -201,7 +201,7 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic
                         return AuthOutcome.FAILED;
                     }
                 }
-                return handleLoginResponse((ResponseType) statusResponse, onCreateSession);
+                return handleLoginResponse((ResponseType) statusResponse, postBinding, onCreateSession);
             } finally {
                 sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.NONE);
             }
@@ -272,8 +272,7 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic
         return false;
     }
 
-    protected AuthOutcome handleLoginResponse(ResponseType responseType, OnSessionCreated onCreateSession) {
-
+    protected AuthOutcome handleLoginResponse(ResponseType responseType, boolean postBinding, OnSessionCreated onCreateSession) {
         AssertionType assertion = null;
         try {
             assertion = AssertionUtil.getAssertion(responseType, deployment.getDecryptionKey());
@@ -298,6 +297,32 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic
             };
         }
 
+        if (deployment.getIDP().getSingleSignOnService().validateAssertionSignature()) {
+            try {
+                validateSamlSignature(new SAMLDocumentHolder(AssertionUtil.asDocument(assertion)), postBinding, GeneralConstants.SAML_RESPONSE_KEY);
+            } catch (VerificationException e) {
+                log.error("Failed to verify saml assertion signature", e);
+
+                challenge = new AuthChallenge() {
+                    @Override
+                    public boolean challenge(HttpFacade exchange) {
+                        SamlAuthenticationError error = new SamlAuthenticationError(SamlAuthenticationError.Reason.INVALID_SIGNATURE);
+                        exchange.getRequest().setError(error);
+                        exchange.getResponse().sendError(403);
+                        return true;
+                    }
+
+                    @Override
+                    public int getResponseCode() {
+                        return 403;
+                    }
+                };
+                return AuthOutcome.FAILED;
+            } catch (ProcessingException e) {
+                e.printStackTrace();
+            }
+        }
+
         SubjectType subject = assertion.getSubject();
         SubjectType.STSubType subType = subject.getSubType();
         NameIDType subjectNameID = (NameIDType) subType.getBaseID();
diff --git a/adapters/saml/core/src/main/resources/schema/keycloak_saml_adapter_1_6.xsd b/adapters/saml/core/src/main/resources/schema/keycloak_saml_adapter_1_6.xsd
index 843c86569b..1ca774b0d2 100755
--- a/adapters/saml/core/src/main/resources/schema/keycloak_saml_adapter_1_6.xsd
+++ b/adapters/saml/core/src/main/resources/schema/keycloak_saml_adapter_1_6.xsd
@@ -112,6 +112,7 @@
     <xs:complexType name="sign-on-type">
         <xs:attribute name="signRequest" type="xs:boolean" use="optional"/>
         <xs:attribute name="validateResponseSignature" type="xs:boolean" use="optional"/>
+        <xs:attribute name="validateAssertionSignature" type="xs:boolean" use="optional"/>
         <xs:attribute name="requestBinding" type="xs:string" use="optional"/>
         <xs:attribute name="responseBinding" type="xs:string" use="optional"/>
         <xs:attribute name="bindingUrl" type="xs:string" use="optional"/>
diff --git a/adapters/saml/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/saml/extension/Constants.java b/adapters/saml/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/saml/extension/Constants.java
index c7d5acce38..46bfaeda3c 100755
--- a/adapters/saml/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/saml/extension/Constants.java
+++ b/adapters/saml/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/saml/extension/Constants.java
@@ -45,6 +45,7 @@ public class Constants {
         static final String KEY_STORE = "KeyStore";
         static final String SIGN_REQUEST = "signRequest";
         static final String VALIDATE_RESPONSE_SIGNATURE = "validateResponseSignature";
+        static final String VALIDATE_ASSERTION_SIGNATURE = "validateAssertionSignature";
         static final String REQUEST_BINDING = "requestBinding";
         static final String BINDING_URL = "bindingUrl";
         static final String VALIDATE_REQUEST_SIGNATURE = "validateRequestSignature";
@@ -97,6 +98,7 @@ public class Constants {
         static final String CERTIFICATE_ALIAS = "alias";
         static final String SIGN_REQUEST = "signRequest";
         static final String VALIDATE_RESPONSE_SIGNATURE = "validateResponseSignature";
+        static final String VALIDATE_ASSERTION_SIGNATURE = "validateAssertionSignature";
         static final String REQUEST_BINDING = "requestBinding";
         static final String BINDING_URL = "bindingUrl";
         static final String VALIDATE_REQUEST_SIGNATURE = "validateRequestSignature";
diff --git a/adapters/saml/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/saml/extension/SingleSignOnDefinition.java b/adapters/saml/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/saml/extension/SingleSignOnDefinition.java
index 8a565a3115..d0d95b1c1c 100644
--- a/adapters/saml/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/saml/extension/SingleSignOnDefinition.java
+++ b/adapters/saml/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/saml/extension/SingleSignOnDefinition.java
@@ -37,6 +37,11 @@ abstract class SingleSignOnDefinition {
                     .setXmlName(Constants.XML.VALIDATE_RESPONSE_SIGNATURE)
                     .build();
 
+    static final SimpleAttributeDefinition VALIDATE_ASSERTION_SIGNATURE =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.VALIDATE_ASSERTION_SIGNATURE, ModelType.BOOLEAN, true)
+                    .setXmlName(Constants.XML.VALIDATE_ASSERTION_SIGNATURE)
+                    .build();
+
     static final SimpleAttributeDefinition REQUEST_BINDING =
             new SimpleAttributeDefinitionBuilder(Constants.Model.REQUEST_BINDING, ModelType.STRING, true)
                     .setXmlName(Constants.XML.REQUEST_BINDING)
@@ -52,7 +57,7 @@ abstract class SingleSignOnDefinition {
                     .setXmlName(Constants.XML.BINDING_URL)
                     .build();
 
-    static final SimpleAttributeDefinition[] ATTRIBUTES = {SIGN_REQUEST, VALIDATE_RESPONSE_SIGNATURE, REQUEST_BINDING, RESPONSE_BINDING, BINDING_URL};
+    static final SimpleAttributeDefinition[] ATTRIBUTES = {SIGN_REQUEST, VALIDATE_RESPONSE_SIGNATURE, VALIDATE_ASSERTION_SIGNATURE, REQUEST_BINDING, RESPONSE_BINDING, BINDING_URL};
 
     static final HashMap<String, SimpleAttributeDefinition> ATTRIBUTE_MAP = new HashMap<>();
 
diff --git a/adapters/saml/wildfly/wildfly-subsystem/src/main/resources/org/keycloak/subsystem/adapter/saml/extension/LocalDescriptions.properties b/adapters/saml/wildfly/wildfly-subsystem/src/main/resources/org/keycloak/subsystem/adapter/saml/extension/LocalDescriptions.properties
index 6add1e428f..819623516d 100755
--- a/adapters/saml/wildfly/wildfly-subsystem/src/main/resources/org/keycloak/subsystem/adapter/saml/extension/LocalDescriptions.properties
+++ b/adapters/saml/wildfly/wildfly-subsystem/src/main/resources/org/keycloak/subsystem/adapter/saml/extension/LocalDescriptions.properties
@@ -67,6 +67,7 @@ keycloak-saml.IDP.signatureCanonicalizationMethod=Signature canonicalization met
 keycloak-saml.IDP.SingleSignOnService=Single sign-on configuration
 keycloak-saml.IDP.SingleSignOnService.signRequest=Sign SSO requests
 keycloak-saml.IDP.SingleSignOnService.validateResponseSignature=Validate an SSO response signature
+keycloak-saml.IDP.SingleSignOnService.validateAssertionSignature=Validate an SSO assertion signature
 keycloak-saml.IDP.SingleSignOnService.requestBinding=HTTP method to use for requests
 keycloak-saml.IDP.SingleSignOnService.responseBinding=HTTP method to use for responses
 keycloak-saml.IDP.SingleSignOnService.bindingUrl=SSO endpoint URL
diff --git a/adapters/saml/wildfly/wildfly-subsystem/src/main/resources/schema/wildfly-keycloak-saml_1_1.xsd b/adapters/saml/wildfly/wildfly-subsystem/src/main/resources/schema/wildfly-keycloak-saml_1_1.xsd
index fb893dd155..0494a1e2d5 100755
--- a/adapters/saml/wildfly/wildfly-subsystem/src/main/resources/schema/wildfly-keycloak-saml_1_1.xsd
+++ b/adapters/saml/wildfly/wildfly-subsystem/src/main/resources/schema/wildfly-keycloak-saml_1_1.xsd
@@ -132,6 +132,11 @@
                 <xs:documentation>Validate the SSO response signature</xs:documentation>
             </xs:annotation>
         </xs:attribute>
+        <xs:attribute name="validateAssertionSignature" type="xs:boolean" use="optional">
+            <xs:annotation>
+                <xs:documentation>Validate the SSO assertion signature</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
         <xs:attribute name="requestBinding" type="xs:string" use="optional">
             <xs:annotation>
                 <xs:documentation>HTTP method to use for requests</xs:documentation>
diff --git a/adapters/saml/wildfly/wildfly-subsystem/src/test/resources/org/keycloak/subsystem/adapter/saml/extension/keycloak-saml-1.1-err.xml b/adapters/saml/wildfly/wildfly-subsystem/src/test/resources/org/keycloak/subsystem/adapter/saml/extension/keycloak-saml-1.1-err.xml
index ed56cccc65..5afd0bf721 100644
--- a/adapters/saml/wildfly/wildfly-subsystem/src/test/resources/org/keycloak/subsystem/adapter/saml/extension/keycloak-saml-1.1-err.xml
+++ b/adapters/saml/wildfly/wildfly-subsystem/src/test/resources/org/keycloak/subsystem/adapter/saml/extension/keycloak-saml-1.1-err.xml
@@ -42,6 +42,7 @@
             <IDP entityID="idp" signaturesRequired="true" signatureAlgorithm="test" signatureCanonicalizationMethod="test" encryption="test">
                 <SingleSignOnService signRequest="true"
                                      validateResponseSignature="true"
+                                     validateAssertionSignature="true"
                                      requestBinding="POST"
                                      responseBinding="POST"
                                      bindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"/>
diff --git a/adapters/saml/wildfly/wildfly-subsystem/src/test/resources/org/keycloak/subsystem/adapter/saml/extension/keycloak-saml-1.1.xml b/adapters/saml/wildfly/wildfly-subsystem/src/test/resources/org/keycloak/subsystem/adapter/saml/extension/keycloak-saml-1.1.xml
index d8183087b3..f703c58dd4 100755
--- a/adapters/saml/wildfly/wildfly-subsystem/src/test/resources/org/keycloak/subsystem/adapter/saml/extension/keycloak-saml-1.1.xml
+++ b/adapters/saml/wildfly/wildfly-subsystem/src/test/resources/org/keycloak/subsystem/adapter/saml/extension/keycloak-saml-1.1.xml
@@ -44,6 +44,7 @@
             <IDP entityID="idp" signaturesRequired="true" signatureAlgorithm="test" signatureCanonicalizationMethod="test">
                 <SingleSignOnService signRequest="true"
                                      validateResponseSignature="true"
+                                     validateAssertionSignature="true"
                                      requestBinding="POST"
                                      responseBinding="POST"
                                      bindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"/>
diff --git a/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java b/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java
index c1b5ef084d..bd07882e50 100755
--- a/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java
+++ b/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java
@@ -370,7 +370,8 @@ public class XMLSignatureUtil {
         NodeList nl = signedDoc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
 
         if (nl == null || nl.getLength() == 0) {
-            throw logger.nullValueError("Cannot find Signature element");
+            logger.debug("Cannot find Signature element");
+            return false;
         }
 
         if (publicKey == null)
diff --git a/services/src/main/java/org/keycloak/protocol/saml/installation/KeycloakSamlClientInstallation.java b/services/src/main/java/org/keycloak/protocol/saml/installation/KeycloakSamlClientInstallation.java
index ca9de35cd9..4a91db950b 100755
--- a/services/src/main/java/org/keycloak/protocol/saml/installation/KeycloakSamlClientInstallation.java
+++ b/services/src/main/java/org/keycloak/protocol/saml/installation/KeycloakSamlClientInstallation.java
@@ -96,6 +96,7 @@ public class KeycloakSamlClientInstallation implements ClientInstallationProvide
         buffer.append(">\n");
         buffer.append("            <SingleSignOnService signRequest=\"").append(Boolean.toString(samlClient.requiresClientSignature())).append("\"\n");
         buffer.append("                                 validateResponseSignature=\"").append(Boolean.toString(samlClient.requiresRealmSignature())).append("\"\n");
+        buffer.append("                                 validateAssertionSignature=\"").append(Boolean.toString(samlClient.requiresAssertionSignature())).append("\"\n");
         buffer.append("                                 requestBinding=\"POST\"\n");
         UriBuilder bindingUrlBuilder = UriBuilder.fromUri(baseUri);
         String bindingUrl = RealmsResource.protocolUrl(bindingUrlBuilder)
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTest.java
index 37f2b65c5a..0f692fe034 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTest.java
@@ -51,6 +51,7 @@ public class SamlAdapterTest {
             initializeSamlSecuredWar("/keycloak-saml/simple-post2", "/sales-post2",  "post.war", classLoader);
             initializeSamlSecuredWar("/keycloak-saml/simple-post-passive", "/sales-post-passive", "post-passive.war", classLoader);
             initializeSamlSecuredWar("/keycloak-saml/signed-post", "/sales-post-sig",  "post-sig.war", classLoader);
+            initializeSamlSecuredWar("/keycloak-saml/sales-post-assertion-and-response-sig", "/sales-post-assertion-and-response-sig",  "sales-post-assertion-and-response-sig.war", classLoader);
             initializeSamlSecuredWar("/keycloak-saml/signed-post-email", "/sales-post-sig-email",  "post-sig-email.war", classLoader);
             initializeSamlSecuredWar("/keycloak-saml/signed-post-transient", "/sales-post-sig-transient",  "post-sig-transient.war", classLoader);
             initializeSamlSecuredWar("/keycloak-saml/signed-post-persistent", "/sales-post-sig-persistent",  "post-sig-persistent.war", classLoader);
@@ -60,6 +61,8 @@ public class SamlAdapterTest {
             initializeSamlSecuredWar("/keycloak-saml/signed-front-get", "/employee-sig-front",  "employee-sig-front.war", classLoader);
             initializeSamlSecuredWar("/keycloak-saml/bad-client-signed-post", "/bad-client-sales-post-sig",  "bad-client-post-sig.war", classLoader);
             initializeSamlSecuredWar("/keycloak-saml/bad-realm-signed-post", "/bad-realm-sales-post-sig",  "bad-realm-post-sig.war", classLoader);
+            initializeSamlSecuredWar("/keycloak-saml/bad-assertion-signed-post", "/bad-assertion-sales-post-sig",  "bad-assertion-post-sig.war", classLoader);
+            initializeSamlSecuredWar("/keycloak-saml/missing-assertion-sig", "/missing-assertion-sig",  "missing-assertion-sig.war", classLoader);
             initializeSamlSecuredWar("/keycloak-saml/encrypted-post", "/sales-post-enc",  "post-enc.war", classLoader);
             System.setProperty("app.server.base.url", "http://localhost:8081");
             initializeSamlSecuredWar("/keycloak-saml/simple-input", "/input-portal",  "input.war", classLoader, InputServlet.class, "/secured/*");
@@ -89,6 +92,16 @@ public class SamlAdapterTest {
         testStrategy.testPostBadRealmSignature();
     }
 
+    @Test
+    public void testPostBadAssertionSignature() {
+        testStrategy.testPostBadAssertionSignature();
+    }
+
+    @Test
+    public void testMissingAssertionSignature() {
+        testStrategy.testMissingAssertionSignature();
+    }
+
     @Test
     public void testPostSimpleUnauthorized() {
         testStrategy.testPostSimpleUnauthorized( new SamlAdapterTestStrategy.CheckAuthError() {
@@ -189,6 +202,11 @@ public class SamlAdapterTest {
         testStrategy.testPostSignedLoginLogout();
     }
 
+    @Test
+    public void testPostSignedResponseAndAssertionLoginLogout() {
+        testStrategy.testPostSignedResponseAndAssertionLoginLogout();
+    }
+
     @Test
     public void testIDPDescriptor() throws Exception {
         Client client = ClientBuilder.newClient();
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTestStrategy.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTestStrategy.java
index f45255f2af..6bbfeabd62 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTestStrategy.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTestStrategy.java
@@ -280,6 +280,16 @@ public class SamlAdapterTestStrategy  extends ExternalResource {
         driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig?GLO=true");
         checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post-sig/", true);
 
+    }
+    public void testPostSignedResponseAndAssertionLoginLogout() {
+        driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-assertion-and-response-sig/");
+        assertAtLoginPagePostBinding();
+        loginPage.login("bburke", "password");
+        assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post-assertion-and-response-sig/");
+        Assert.assertTrue(driver.getPageSource().contains("bburke"));
+        driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-assertion-and-response-sig?GLO=true");
+        checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post-assertion-and-response-sig/", true);
+
     }
     public void testPostSignedLoginLogoutTransientNameID() {
         driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig-transient/");
@@ -523,6 +533,32 @@ public class SamlAdapterTestStrategy  extends ExternalResource {
         ErrorServlet.authError = null;
     }
 
+    public void testPostBadAssertionSignature() {
+        ErrorServlet.authError = null;
+        driver.navigate().to(APP_SERVER_BASE_URL + "/bad-assertion-sales-post-sig/");
+        assertAtLoginPagePostBinding();
+        loginPage.login("bburke", "password");
+        assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/bad-assertion-sales-post-sig/saml");
+        System.out.println(driver.getPageSource());
+        Assert.assertNotNull(ErrorServlet.authError);
+        SamlAuthenticationError error = (SamlAuthenticationError)ErrorServlet.authError;
+        Assert.assertEquals(SamlAuthenticationError.Reason.INVALID_SIGNATURE, error.getReason());
+        ErrorServlet.authError = null;
+    }
+
+    public void testMissingAssertionSignature() {
+        ErrorServlet.authError = null;
+        driver.navigate().to(APP_SERVER_BASE_URL + "/missing-assertion-sig/");
+        assertAtLoginPagePostBinding();
+        loginPage.login("bburke", "password");
+        assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/missing-assertion-sig/saml");
+        System.out.println(driver.getPageSource());
+        Assert.assertNotNull(ErrorServlet.authError);
+        SamlAuthenticationError error = (SamlAuthenticationError)ErrorServlet.authError;
+        Assert.assertEquals(SamlAuthenticationError.Reason.INVALID_SIGNATURE, error.getReason());
+        ErrorServlet.authError = null;
+    }
+
     public void testMetadataPostSignedLoginLogout() throws Exception {
 
         driver.navigate().to(APP_SERVER_BASE_URL + "/sales-metadata/");
diff --git a/testsuite/integration/src/test/resources/keycloak-saml/bad-assertion-signed-post/WEB-INF/keycloak-saml.xml b/testsuite/integration/src/test/resources/keycloak-saml/bad-assertion-signed-post/WEB-INF/keycloak-saml.xml
new file mode 100755
index 0000000000..16f78d99b6
--- /dev/null
+++ b/testsuite/integration/src/test/resources/keycloak-saml/bad-assertion-signed-post/WEB-INF/keycloak-saml.xml
@@ -0,0 +1,62 @@
+<!--
+  ~ Copyright 2016 Red Hat, Inc. and/or its affiliates
+  ~ and other contributors as indicated by the @author tags.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<keycloak-saml-adapter>
+    <SP entityID="http://localhost:8081/bad-assertion-sales-post-sig/"
+        sslPolicy="EXTERNAL"
+        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        logoutPage="/logout.jsp"
+        forceAuthentication="false">
+        <Keys>
+            <Key signing="true" >
+                <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
+                    <PrivateKey alias="http://localhost:8081/bad-realm-sales-post-sig/" password="test123"/>
+                    <Certificate alias="http://localhost:8081/bad-realm-sales-post-sig/"/>
+                </KeyStore>
+            </Key>
+        </Keys>
+        <PrincipalNameMapping policy="FROM_NAME_ID"/>
+        <RoleIdentifiers>
+            <Attribute name="Role"/>
+        </RoleIdentifiers>
+        <IDP entityID="idp">
+            <SingleSignOnService signRequest="true"
+                                 validateAssertionSignature="true"
+                                 requestBinding="POST"
+                                 bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+
+            <SingleLogoutService
+                    validateRequestSignature="true"
+                    validateResponseSignature="true"
+                    signRequest="true"
+                    signResponse="true"
+                    requestBinding="POST"
+                    responseBinding="POST"
+                    postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+            <Keys>
+                <Key signing="true">
+                    <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
+                        <Certificate alias="demo"/>
+                    </KeyStore>
+                </Key>
+            </Keys>
+        </IDP>
+     </SP>
+</keycloak-saml-adapter>
\ No newline at end of file
diff --git a/testsuite/integration/src/test/resources/keycloak-saml/bad-assertion-signed-post/WEB-INF/keystore.jks b/testsuite/integration/src/test/resources/keycloak-saml/bad-assertion-signed-post/WEB-INF/keystore.jks
new file mode 100755
index 0000000000000000000000000000000000000000..215384cdef8f651b392ec1ce469adffdb9e4a521
GIT binary patch
literal 1715
zcmezO_TO6u1_mZ5W@OOMC@Cqh($~+)PfpCq$S*FjvM{hP)K5xG(Je|%%*oX)PRvOy
z)-3?a=oV+D>oYJgdg`0JY6hCI)1ZlIs{tPymo^(C3!@g3AR{9y14|Rr!ngU6+@;<g
zEB460Ol#Q`@G_(0L({`O3paH8`z~7i<koRXA*Pt!$L8FAz_n(-z|YvyNuIVo4D<Xx
zJ`ymreaC)VNla0gU0}`f88Uap4&<C@-S|b4{p$_~mHfR|bzJq1ue!gzNjT?bbm*er
za*oUS6(t{^u3val+4)LgS>2yEnn$CTh&C>rHT&=lxf7P=#(#EPPciy^NpNpfm&fy6
zyHq@QWgN7Quua<YQ2X&arv_uo_vsSL#nzwuv|DY;R<n%VzE=<4GG192{)X*yRtnGC
zWB)=w?cN&e_$FP|a)Mrf_8fhF5tYw-tL!$+{cgT(^1c)<k4MLq`7?jJ-g<r|Z@2HJ
ztJhrR{mrB|_s9zTPf-tRzaQV-=T+Fh+OC~DEU_iM<MQ_fZ7s*m?|gWXEhHu~=jx6s
zmFY6<$Irj<D(`)7vgp%Ht5>3{_deg{5xT!T;gZa`O<N;=9L`hu;HB~Z=Erw3dJ6k4
zZL7ANWj$@;nc24|a5qRr9!+_pt30i|=*{}#@~)XIkFB?xH0U=7oQcYLW0f$E=R!#A
z@(}j}eZRbSET8RZm)oi3`X}w`V~<y18oSN5yt7#oA;>RyevO_>{(A?_lqLBk?tVwv
zcw05^>a_ok{2o4|X}ww9d&8OTI&1rWOV}o*G;4YIABj?U{IX!F^}2T#k9r-Lx43t4
zQ}MGEKFMrHSIIbi`NFw8qTYK#;l|L+6G_!~Ze99NeR6}~B({al`YhKLe)`LEQRrFT
zI??kV7ys(_Gp;rdEi+?(kYl*_{)B`XhP%wqZ|jP#(p9}*eJ-*oDJ$~t`8iuYbpKr8
z6ERK5=7)pJsncv*Ui>=Sy+-oq%Zeq3{C<3p>{zWB-*@PMv~;_~ehIyzqM#1~lg%nO
zR3z>d&q_N!SG9DT%34<TdKHm2FWXh~w(P9}rhY~S)(AaQ14|(5hCvhK6(F`{Vq^4_
z_!paEz{|#|)#lOmotKf3o0Y-9z);UXhmARug;`h?TXr$fN6RDza^k#(CWZ!vW`;&4
zCPv0l;=D#Mu9<;x6d5Kq&PR3?FrzUy_A(eWb}}_KGF+8Dw);qORZ1sw?(;b(bruwu
zzd1GIioxY051Ep?&NJSRYua}#;F7qo&sL*ODfcO5MVm9tk9fGV)GQOxb+EXue|FBx
z{9auqq2tz3YniIoUiMV%VNZ6iT&ElEHsSnd1HEI<&L=4|gtjwJXxE>*A@h*@U6*qn
zHy^6Hte@wl)-yqsiJ6gs5!rdbKw}2Ft9#bDh1-g6C9hApR-N{BU2-$a@;~dg7G7KQ
zQJ(SQaf$cVkLJ}o)C&BrQ}J_}Sd^S!pj9u%vFqgL#g4H*SOan<J}Wva8?#-E!{z?s
zvIR9e@4cAQrrvY(`;k{aQZ(lAf6$0mIn0+9*<^QwpYO*DCJy)QovS+{CNzrsH}vd3
zV{yqGT*$Gcq~_*BORW|}q)!D#_(X%o-=H|xH!<CW=6nNwLtX=JNSuRBfJLd1fsuis
ziK!tpO2J$+W5Xy+4ftYgLBh71Nv|De^M9{7uzPOw+P!!7O?kShYr)pygFmiw?}@tl
zSKTU9QeekZEBRYLf4siL`@mb~sRfg>K#kCk$R#$8fp=e2%%0nLGWF^C(9e+@>P#BW
zdNL$zHF&ktAn>}*$#cAlQ?<A3{KZtn-+IaJ+tJW(Unajx6^;#l{A!QjpCXM`Trno^
z&2xv}lkcF_QG>j&eY5qOdbG-`=RZ1|_=kVfH7Wht?MK{y+;BacmesiaSi9C`rL(tv
zt7e>A!hGn3)+w<k&RN0xtDLUB&lTFjwa(Z0M9IR&`8w;rylCTizq7p0#d)vD{?&fc
zCywr&+1{dXG0#FXKk}LQ#rmd)S1!JJZqp*0^C+(@`n-+C!c+;V+spiuCxo&##uWnq
Dyn@v}

literal 0
HcmV?d00001

diff --git a/testsuite/integration/src/test/resources/keycloak-saml/missing-assertion-sig/WEB-INF/keycloak-saml.xml b/testsuite/integration/src/test/resources/keycloak-saml/missing-assertion-sig/WEB-INF/keycloak-saml.xml
new file mode 100755
index 0000000000..dc60fda024
--- /dev/null
+++ b/testsuite/integration/src/test/resources/keycloak-saml/missing-assertion-sig/WEB-INF/keycloak-saml.xml
@@ -0,0 +1,60 @@
+<!--
+  ~ JBoss, Home of Professional Open Source.
+  ~ Copyright 2016 Red Hat, Inc., and individual contributors
+  ~ as indicated by the @author tags.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<keycloak-saml-adapter>
+    <SP entityID="http://localhost:8081/missing-assertion-sig/"
+        sslPolicy="EXTERNAL"
+        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        logoutPage="/logout.jsp"
+        forceAuthentication="false">
+        <Keys>
+            <Key signing="true" >
+                <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
+                    <PrivateKey alias="http://localhost:8080/sales-post-sig/" password="test123"/>
+                    <Certificate alias="http://localhost:8080/sales-post-sig/"/>
+                </KeyStore>
+            </Key>
+        </Keys>
+        <PrincipalNameMapping policy="FROM_NAME_ID"/>
+        <RoleIdentifiers>
+            <Attribute name="Role"/>
+        </RoleIdentifiers>
+        <IDP entityID="idp"
+             signaturesRequired="true">
+        <SingleSignOnService requestBinding="POST"
+                             bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                             validateAssertionSignature="true"
+                             validateResponseSignature="false"
+                    />
+
+            <SingleLogoutService
+                    requestBinding="POST"
+                    responseBinding="POST"
+                    postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+            <Keys>
+                <Key signing="true">
+                    <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
+                        <Certificate alias="demo"/>
+                    </KeyStore>
+                </Key>
+            </Keys>
+        </IDP>
+     </SP>
+</keycloak-saml-adapter>
\ No newline at end of file
diff --git a/testsuite/integration/src/test/resources/keycloak-saml/missing-assertion-sig/WEB-INF/keystore.jks b/testsuite/integration/src/test/resources/keycloak-saml/missing-assertion-sig/WEB-INF/keystore.jks
new file mode 100755
index 0000000000000000000000000000000000000000..144830bc77683d1d0a3d29f8793471d4f395bdb0
GIT binary patch
literal 1705
zcmezO_TO6u1_mZ5W@J#!C@Cqh($~+)PfpCq$S*FjvM{hP&@WERNiEhb0P=N<Gt>1M
z7#KYz`B=UJb?!81V%loJ$Ht}2#>m2`#U#kc$jZRd#I(>@`_HHQr3*BE{x`hDyEHld
z+K~ja7y5T|r=%}Fu;`1zi=v(re>&z=o_dkol)j+zYO>t=Qy1S}v3en%vP3563G;>m
zf%$6H#y=LWo_E+v&g1u@xzTso16CaPbkO_D8o@;(`MobV^Igq3BNxZ5w|jA2W>>?O
zsK)o5D^C2naN_4wlZOiFZx$ZYW2t4}JhWx=_GhgLGruICtx3+%d3V!9>Dt7nXAhlc
z$;{X;mJr8NzU5%3ud}q*;Tc<&7_HRg&F#_Q?wWFKHOG|)@xdBe`K>+ek+V}K-){E)
zl)cDAKzFrg_KD*rPhJ#0xY%188oeS%DBgct!6JRDwVn#urq)k%GX7O$-%BXGHp?M$
zPK(%~JsS=itGtnGNeXRIJS<xH%k<OBwV&@wI$l|kSb1#zQ}G)q275}lX8g|f-Ln74
z{|Vik_n!WV@74$`E;eU4;X0)-lFLf#$k9h4zHf`OL>=enoqTH}>U?=&w0Rv<b4baj
znGr6FU*zue-W*?hyXufgY{Hqf&x4dM`aYhq(@bFbAHC&g{3o-|Th0H<O?hSA)>-!V
zt0IaI7=L{C`R*=P35_m^|6)DbnI1Rom?{^itz&v<zm+BK*bd>>PMs${YwWF4+mV{{
zB3p#_4CDJAHQ!e4#HZJ%dA%($R{WrMXd~~o9sJ4l4<@p_UZ&<;=%+j9w)>u?FXr2x
z;Qi$;R(a*<h2D?0b$d7enoxSM;=4-whP=nl+v99jCWdC07KSRU$-16*O7+RB13%23
zR8IS6;^X(_O!C>~n?JwFjfqj;bam5w#iu)2cStlBuRNH-DYCa*SFTj`Ruc2O%^{1v
zS^p3Un$kT>@>nGEyG?KA#5`*A-Q)TDd5mCQN4nqL|I4L=R^IMCEM*}Xua~%r;rLwD
z(rqehS=sAVMB2P;SIyh9w+fi%85vk3^h^ybfvg(_O^jE7*p`Wn(Np4IY>ELd8>d#A
zN85K^Mn-N{1_J{_Jp&y!=1>-9Vd650ft)z6p^2e^p_!qPiHVVMlsK;ujB93K97TqS
zjq{OR1<Yv7jlB#8jh#%5jSN?%kL^B^T$R$vocnyvNu31+=5J2TxMFbm$U~;&uJerd
z<C^vz3%DdM?6cLVQ_6ixS<&W9^CKSaEH%qSbR8_N>z|$TGQU@sN$9wB)LN$MwU<2=
zd)SlRE7$3UyG=O%*+B2uv-3&H4597J6WaBsZpb_&f7j)l$IXYTF6-xcsr5`yWnyMz
zU_^EvFwmHR?&_X(ZsE4#TgmHFu2rXfU6<U<vi#4wt%cVXeUxXscwFMW^`m+94z&Wm
z>s0)lCKe^<7iiUsaqK$zd9h>c57vO3iO-78%EoLL<8ZmZxNJeq&U-KBw5j(T{eI-t
zj}(o0{2w&pRSxr|MK;+T;phADf{DX@d*|wohzX72{tZ3*&sbbC2N!KDDXF>n@KOsN
z=~ICbKGC4@Hz>{}*<-lToNvHy$ZNn2iF2?C$Wdx)Vu&22rlzLAD8<l#FUD4fZCK}b
zK|7Ca=9#^T`(zEb>`N=&Wn#AY>fF{RdOu_iDQssmI(9hPO(2Uiv*4ZQlGJH!&z=`K
zw%L^5b<Y1i=YPP#9h0>kqb1@@gO=+rT(BxQD(6^h&8PDm@hVJA%Qxx$H92KBf6;Q!
zeu+xYdBwlV_8D(8vle0u7ZYR_ZJGO3A6Ja^r!9<;Jf^6B_V*`!pI4_%{2#46Qrcoa
z{d4O3!wr>pceY+y88$ipliuM2X9G4KozS*BUZS)4a=%Gc^OV}R*}*rh8m{{;m0Oa)
z^Ysn?xlP?KeF94gT3Fr`zuJ}MUVH6cw8xR2&A~UG*V~pyDQR4_ymoT_iPrx=pDW$^
gV7obl)$b?cUQd>i8HM*{tk@@=IXfvlri|w}0JG8182|tP

literal 0
HcmV?d00001

diff --git a/testsuite/integration/src/test/resources/keycloak-saml/sales-post-assertion-and-response-sig/WEB-INF/keycloak-saml.xml b/testsuite/integration/src/test/resources/keycloak-saml/sales-post-assertion-and-response-sig/WEB-INF/keycloak-saml.xml
new file mode 100755
index 0000000000..1bd35d1856
--- /dev/null
+++ b/testsuite/integration/src/test/resources/keycloak-saml/sales-post-assertion-and-response-sig/WEB-INF/keycloak-saml.xml
@@ -0,0 +1,60 @@
+<!--
+  ~ JBoss, Home of Professional Open Source.
+  ~ Copyright 2016 Red Hat, Inc., and individual contributors
+  ~ as indicated by the @author tags.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<keycloak-saml-adapter>
+    <SP entityID="http://localhost:8081/sales-post-assertion-and-response-sig/"
+        sslPolicy="EXTERNAL"
+        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        logoutPage="/logout.jsp"
+        forceAuthentication="false">
+        <Keys>
+            <Key signing="true" >
+                <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
+                    <PrivateKey alias="http://localhost:8080/sales-post-sig/" password="test123"/>
+                    <Certificate alias="http://localhost:8080/sales-post-sig/"/>
+                </KeyStore>
+            </Key>
+        </Keys>
+        <PrincipalNameMapping policy="FROM_NAME_ID"/>
+        <RoleIdentifiers>
+            <Attribute name="Role"/>
+        </RoleIdentifiers>
+        <IDP entityID="idp"
+             signaturesRequired="true">
+        <SingleSignOnService requestBinding="POST"
+                             bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                             validateAssertionSignature="true"
+                             validateResponseSignature="true"
+                    />
+
+            <SingleLogoutService
+                    requestBinding="POST"
+                    responseBinding="POST"
+                    postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+            <Keys>
+                <Key signing="true">
+                    <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
+                        <Certificate alias="demo"/>
+                    </KeyStore>
+                </Key>
+            </Keys>
+        </IDP>
+     </SP>
+</keycloak-saml-adapter>
\ No newline at end of file
diff --git a/testsuite/integration/src/test/resources/keycloak-saml/sales-post-assertion-and-response-sig/WEB-INF/keystore.jks b/testsuite/integration/src/test/resources/keycloak-saml/sales-post-assertion-and-response-sig/WEB-INF/keystore.jks
new file mode 100755
index 0000000000000000000000000000000000000000..144830bc77683d1d0a3d29f8793471d4f395bdb0
GIT binary patch
literal 1705
zcmezO_TO6u1_mZ5W@J#!C@Cqh($~+)PfpCq$S*FjvM{hP&@WERNiEhb0P=N<Gt>1M
z7#KYz`B=UJb?!81V%loJ$Ht}2#>m2`#U#kc$jZRd#I(>@`_HHQr3*BE{x`hDyEHld
z+K~ja7y5T|r=%}Fu;`1zi=v(re>&z=o_dkol)j+zYO>t=Qy1S}v3en%vP3563G;>m
zf%$6H#y=LWo_E+v&g1u@xzTso16CaPbkO_D8o@;(`MobV^Igq3BNxZ5w|jA2W>>?O
zsK)o5D^C2naN_4wlZOiFZx$ZYW2t4}JhWx=_GhgLGruICtx3+%d3V!9>Dt7nXAhlc
z$;{X;mJr8NzU5%3ud}q*;Tc<&7_HRg&F#_Q?wWFKHOG|)@xdBe`K>+ek+V}K-){E)
zl)cDAKzFrg_KD*rPhJ#0xY%188oeS%DBgct!6JRDwVn#urq)k%GX7O$-%BXGHp?M$
zPK(%~JsS=itGtnGNeXRIJS<xH%k<OBwV&@wI$l|kSb1#zQ}G)q275}lX8g|f-Ln74
z{|Vik_n!WV@74$`E;eU4;X0)-lFLf#$k9h4zHf`OL>=enoqTH}>U?=&w0Rv<b4baj
znGr6FU*zue-W*?hyXufgY{Hqf&x4dM`aYhq(@bFbAHC&g{3o-|Th0H<O?hSA)>-!V
zt0IaI7=L{C`R*=P35_m^|6)DbnI1Rom?{^itz&v<zm+BK*bd>>PMs${YwWF4+mV{{
zB3p#_4CDJAHQ!e4#HZJ%dA%($R{WrMXd~~o9sJ4l4<@p_UZ&<;=%+j9w)>u?FXr2x
z;Qi$;R(a*<h2D?0b$d7enoxSM;=4-whP=nl+v99jCWdC07KSRU$-16*O7+RB13%23
zR8IS6;^X(_O!C>~n?JwFjfqj;bam5w#iu)2cStlBuRNH-DYCa*SFTj`Ruc2O%^{1v
zS^p3Un$kT>@>nGEyG?KA#5`*A-Q)TDd5mCQN4nqL|I4L=R^IMCEM*}Xua~%r;rLwD
z(rqehS=sAVMB2P;SIyh9w+fi%85vk3^h^ybfvg(_O^jE7*p`Wn(Np4IY>ELd8>d#A
zN85K^Mn-N{1_J{_Jp&y!=1>-9Vd650ft)z6p^2e^p_!qPiHVVMlsK;ujB93K97TqS
zjq{OR1<Yv7jlB#8jh#%5jSN?%kL^B^T$R$vocnyvNu31+=5J2TxMFbm$U~;&uJerd
z<C^vz3%DdM?6cLVQ_6ixS<&W9^CKSaEH%qSbR8_N>z|$TGQU@sN$9wB)LN$MwU<2=
zd)SlRE7$3UyG=O%*+B2uv-3&H4597J6WaBsZpb_&f7j)l$IXYTF6-xcsr5`yWnyMz
zU_^EvFwmHR?&_X(ZsE4#TgmHFu2rXfU6<U<vi#4wt%cVXeUxXscwFMW^`m+94z&Wm
z>s0)lCKe^<7iiUsaqK$zd9h>c57vO3iO-78%EoLL<8ZmZxNJeq&U-KBw5j(T{eI-t
zj}(o0{2w&pRSxr|MK;+T;phADf{DX@d*|wohzX72{tZ3*&sbbC2N!KDDXF>n@KOsN
z=~ICbKGC4@Hz>{}*<-lToNvHy$ZNn2iF2?C$Wdx)Vu&22rlzLAD8<l#FUD4fZCK}b
zK|7Ca=9#^T`(zEb>`N=&Wn#AY>fF{RdOu_iDQssmI(9hPO(2Uiv*4ZQlGJH!&z=`K
zw%L^5b<Y1i=YPP#9h0>kqb1@@gO=+rT(BxQD(6^h&8PDm@hVJA%Qxx$H92KBf6;Q!
zeu+xYdBwlV_8D(8vle0u7ZYR_ZJGO3A6Ja^r!9<;Jf^6B_V*`!pI4_%{2#46Qrcoa
z{d4O3!wr>pceY+y88$ipliuM2X9G4KozS*BUZS)4a=%Gc^OV}R*}*rh8m{{;m0Oa)
z^Ysn?xlP?KeF94gT3Fr`zuJ}MUVH6cw8xR2&A~UG*V~pyDQR4_ymoT_iPrx=pDW$^
gV7obl)$b?cUQd>i8HM*{tk@@=IXfvlri|w}0JG8182|tP

literal 0
HcmV?d00001

diff --git a/testsuite/integration/src/test/resources/keycloak-saml/testsaml.json b/testsuite/integration/src/test/resources/keycloak-saml/testsaml.json
index 92ddf1a9af..b184a58bbc 100755
--- a/testsuite/integration/src/test/resources/keycloak-saml/testsaml.json
+++ b/testsuite/integration/src/test/resources/keycloak-saml/testsaml.json
@@ -158,6 +158,50 @@
                 "saml.signing.certificate": "MIIB1DCCAT0CBgFJGP5dZDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1zaWcvMB4XDTE0MTAxNjEyNDQyM1oXDTI0MTAxNjEyNDYwM1owMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3Qtc2lnLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1RvGu8RjemSJA23nnMksoHA37MqY1DDTxOECY4rPAd9egr7GUNIXE0y1MokaR5R2crNpN8RIRwR8phQtQDjXL82c6W+NLQISxztarQJ7rdNJIYwHY0d5ri1XRpDP8zAuxubPYiMAVYcDkIcvlbBpwh/dRM5I2eElRK+eSiaMkCUCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCLms6htnPaY69k1ntm9a5jgwSn/K61cdai8R8B0ccY7zvinn9AfRD7fiROQpFyY29wKn8WCLrJ86NBXfgFUGyR5nLNHVy3FghE36N2oHy53uichieMxffE6vhkKJ4P8ChfJMMOZlmCPsQPDvjoAghHt4mriFiQgRdPgIy/zDjSNw=="
             }
         },
+        {
+            "name": "http://localhost:8081/sales-post-assertion-and-response-sig/",
+            "enabled": true,
+            "protocol": "saml",
+            "fullScopeAllowed": true,
+            "baseUrl": "http://localhost:8081/sales-post-assertion-and-response-sig",
+            "redirectUris": [
+                "http://localhost:8081/sales-post-assertion-and-response-sig/*"
+            ],
+            "attributes": {
+                "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-assertion-and-response-sig/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-assertion-and-response-sig/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-assertion-and-response-sig/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-assertion-and-response-sig/saml",
+                "saml.server.signature": "true",
+                "saml.assertion.signature": "true",
+                "saml.signature.algorithm": "RSA_SHA256",
+                "saml.client.signature": "true",
+                "saml.authnstatement": "true",
+                "saml.signing.certificate": "MIIB1DCCAT0CBgFJGP5dZDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1zaWcvMB4XDTE0MTAxNjEyNDQyM1oXDTI0MTAxNjEyNDYwM1owMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3Qtc2lnLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1RvGu8RjemSJA23nnMksoHA37MqY1DDTxOECY4rPAd9egr7GUNIXE0y1MokaR5R2crNpN8RIRwR8phQtQDjXL82c6W+NLQISxztarQJ7rdNJIYwHY0d5ri1XRpDP8zAuxubPYiMAVYcDkIcvlbBpwh/dRM5I2eElRK+eSiaMkCUCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCLms6htnPaY69k1ntm9a5jgwSn/K61cdai8R8B0ccY7zvinn9AfRD7fiROQpFyY29wKn8WCLrJ86NBXfgFUGyR5nLNHVy3FghE36N2oHy53uichieMxffE6vhkKJ4P8ChfJMMOZlmCPsQPDvjoAghHt4mriFiQgRdPgIy/zDjSNw=="
+            }
+        },
+        {
+            "name": "http://localhost:8081/missing-assertion-sig/",
+            "enabled": true,
+            "protocol": "saml",
+            "fullScopeAllowed": true,
+            "baseUrl": "http://localhost:8081/missing-assertion-sig",
+            "redirectUris": [
+                "http://localhost:8081/missing-assertion-sig/*"
+            ],
+            "attributes": {
+                "saml_assertion_consumer_url_post": "http://localhost:8081/missing-assertion-sig/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8081/missing-assertion-sig/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8081/missing-assertion-sig/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8081/missing-assertion-sig/saml",
+                "saml.server.signature": "true",
+                "saml.assertion.signature": "false",
+                "saml.signature.algorithm": "RSA_SHA256",
+                "saml.client.signature": "true",
+                "saml.authnstatement": "true",
+                "saml.signing.certificate": "MIIB1DCCAT0CBgFJGP5dZDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1zaWcvMB4XDTE0MTAxNjEyNDQyM1oXDTI0MTAxNjEyNDYwM1owMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3Qtc2lnLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1RvGu8RjemSJA23nnMksoHA37MqY1DDTxOECY4rPAd9egr7GUNIXE0y1MokaR5R2crNpN8RIRwR8phQtQDjXL82c6W+NLQISxztarQJ7rdNJIYwHY0d5ri1XRpDP8zAuxubPYiMAVYcDkIcvlbBpwh/dRM5I2eElRK+eSiaMkCUCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCLms6htnPaY69k1ntm9a5jgwSn/K61cdai8R8B0ccY7zvinn9AfRD7fiROQpFyY29wKn8WCLrJ86NBXfgFUGyR5nLNHVy3FghE36N2oHy53uichieMxffE6vhkKJ4P8ChfJMMOZlmCPsQPDvjoAghHt4mriFiQgRdPgIy/zDjSNw=="
+            }
+        },
         {
             "name": "http://localhost:8081/sales-post-sig-transient/",
             "enabled": true,
@@ -242,6 +286,23 @@
                 "saml.signing.certificate": "MIIB1DCCAT0CBgFJGP5dZDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1zaWcvMB4XDTE0MTAxNjEyNDQyM1oXDTI0MTAxNjEyNDYwM1owMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3Qtc2lnLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1RvGu8RjemSJA23nnMksoHA37MqY1DDTxOECY4rPAd9egr7GUNIXE0y1MokaR5R2crNpN8RIRwR8phQtQDjXL82c6W+NLQISxztarQJ7rdNJIYwHY0d5ri1XRpDP8zAuxubPYiMAVYcDkIcvlbBpwh/dRM5I2eElRK+eSiaMkCUCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCLms6htnPaY69k1ntm9a5jgwSn/K61cdai8R8B0ccY7zvinn9AfRD7fiROQpFyY29wKn8WCLrJ86NBXfgFUGyR5nLNHVy3FghE36N2oHy53uichieMxffE6vhkKJ4P8ChfJMMOZlmCPsQPDvjoAghHt4mriFiQgRdPgIy/zDjSNw=="
             }
         },
+        {
+            "name": "http://localhost:8081/bad-assertion-sales-post-sig/",
+            "enabled": true,
+            "protocol": "saml",
+            "fullScopeAllowed": true,
+            "baseUrl": "http://localhost:8081/bad-assertion-sales-post-sig/",
+            "adminUrl": "http://localhost:8081/bad-assertion-sales-post-sig/saml",
+            "redirectUris": [
+                "http://localhost:8081/bad-assertion-sales-post-sig/*"
+            ],
+            "attributes": {
+                "saml.assertion.signature": "true",
+                "saml.client.signature": "true",
+                "saml.authnstatement": "true",
+                "saml.signing.certificate": "MIIB1DCCAT0CBgFJGP5dZDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1zaWcvMB4XDTE0MTAxNjEyNDQyM1oXDTI0MTAxNjEyNDYwM1owMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3Qtc2lnLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1RvGu8RjemSJA23nnMksoHA37MqY1DDTxOECY4rPAd9egr7GUNIXE0y1MokaR5R2crNpN8RIRwR8phQtQDjXL82c6W+NLQISxztarQJ7rdNJIYwHY0d5ri1XRpDP8zAuxubPYiMAVYcDkIcvlbBpwh/dRM5I2eElRK+eSiaMkCUCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCLms6htnPaY69k1ntm9a5jgwSn/K61cdai8R8B0ccY7zvinn9AfRD7fiROQpFyY29wKn8WCLrJ86NBXfgFUGyR5nLNHVy3FghE36N2oHy53uichieMxffE6vhkKJ4P8ChfJMMOZlmCPsQPDvjoAghHt4mriFiQgRdPgIy/zDjSNw=="
+            }
+        },
         {
             "name": "http://localhost:8081/bad-client-sales-post-sig/",
             "enabled": true,
@@ -274,6 +335,7 @@
                 "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-enc/saml",
                 "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-enc/saml",
                 "saml.server.signature": "true",
+                "saml.assertion.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA512",
                 "saml.client.signature": "true",
                 "saml.encrypt": "true",