Spring Security OpenSamlMetadataResolver does not set AuthnRequestsSigned attribute

The OpenSamlMetadataResolver does not set the AuthnRequestsSigned attribute.

https://github.com/spring-projects/spring-security/blob/6f79921750973f55a89197032dbe3ffba3797bbb/saml2/saml2-service-provider/core/src/main/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolver.java#L79

I am not sure if this is a bug or not, but at least this is a difference compared to the old spring-security-saml library which rendered this attribute.

Comment From: jzheaux

Thanks for the report, @dawi. The omission was intentional, I find waiting for a concrete use case helps to get the contract correct.

Spring Security uses the asserting party's WantsAuthnRequestsSigned attribute to determine whether or not to sign requests, so the AP wouldn't get much value from reading your application's AuthnRequestsSigned attribute. If it were added to your app's metadata, it would just default refer to RelyingPartyRegistration#getAssertingPartyDetails#getWantsAuthnRequestSigned at this point.

Is your application the one making the decision as to whether or not to sign AuthnRequests? If so, it's probably first important to add that capability to Spring Security so that AuthnRequestsSigned isn't misleading.

Comment From: dawi

Hi @jzheaux, thanks for the clarification. :) It does not cause any issues in our projects and it seems like a reasonable decision to me. I just noticed this difference compared to spring-security-saml.

Comment From: wsalembi

@jzheaux There is a use case. The asserting party may publish by default that WantsAuthnRequestsSigned = false, but a specific application might want to send signed requests. This is not possible with Spring Security right now. Please have a look at https://github.com/spring-projects/spring-security/issues/11818