Option to sign both assertion and/or message in SAML responses

[jalder]

Is your feature request related to a problem? Please describe. An application might require that the SAML response payload signs the Assertion and/or Message.

Describe the solution you'd like The ability to sign the assertion, the message, or both the assertion and message.

Describe alternatives you've considered N/A

Additional context Other IdP services have a means of choosing which parts of the SAML response can be signed. I'd like feature parity from Authentik on this request as the application I'd like to integrate does not offer a means of selecting only Assertion signature (it requires both to be signed).

Note the two SignedInfo objects in the example for "SAML Response with Signed Message & Assertion" found here https://www.samltool.com/generic_sso_res.php

[eiclu]

Seconding this. I have this issue when trying to use Authentik with Canva's SAML. They expect the Document to be signed, not the Assertion.

In Keycloak I can choose which part of the response I want to be signed. Maybe this could be added to Keycloak as well?

[wornet-mwo]

I also have some issues here and had to disable verification completely for Apache Cloudstack and Mattermost. As the signature provides more security and it seems to be state of the art to sign the whole SAMLResponse a +1 here.

[dcortez]

One of the providers I was trying to connect to requires this, so I look forward to when this is added.