Force Azure AD to verify the signature in the SAML request
Enable optional SAML request signature when federating with a SAML 2.0 IDP
SAML Authn request from AAD to a third party SAML 2.0 IDP are not signed. This leaves the third party IDP open to DoS attacks on their credential repository.
Thanks for the feedback.
We would like to hear why you absolutely need this option before you move to Azure AD.
Azure AD accepts a signed SAML request; however, it will not verify the signature. Azure AD has different methods to protect against malicious calls. For example, Azure AD uses the reply URLs configured in the application to validate the SAML request. Azure AD will only send a token to reply URLs configured for the application.
Kendall, Andrew commented
Hi - is relying upon pre-configured reply URLs completely secure? The Auth Response is sent to the SP via the browser (using a redirect presumably?). whats to stop a compromised user agent modifiying the redirect to point to another SP url?
We are retiring ADFS from our environment and we have 1 remaining application using it. When I run the "check" I get this alert: Relying Party has SignedSamlRequestsRequired set to true.
Michael Finney commented
This is blocking us from migrating the Oracle relying party trusts from ADFS to Azure AD. If it works in ADFS then it should work in Azure AD...if you want us to use Azure AD that is.