Required signature on a SAML assertion

Is it required to sign a SAML token? It looks like the signature element 开发者_如何学运维is not required according to the schema.

In lieu of signing the SAML token, we would require client certificates (two-way SSL) to verify that the consumer is a trusted consumer. Is this a viable option?

It depends on what Binding you are using and what your use case is. If you are talking about the Artifact Resolution Protocol, the SOAP binding does not require a signed SAML Response for example. However, the HTTP Post Binding (Web SSO Profile) always requires a signature.

Mutual TLS Authentication is allowed for the SOAP Binding but it not practical at all for the Web SSO Profile.

So, it really depends on what your use case is as each Profile/Binding has its own requirements.

The HTTP Post Binding (Web SSO Profile) always requires a signature. It is configurable options in most of IdP's. e.g. SAP Netweaver IdP.