Attack vectors with encrypted SAML assertion response
I’m testing a web application which uses SAML SSO. SAML Response has signature and it is verified correctly if data is tampered. But I noticed that when signature is removed completely authentication to SP succeeds. In general, it’s clear…