doc updates to include new fields for SAML sig validation (#29195)

* doc updates to include new fields for SAML sig validation * edit description * changes * remove extra option of validating both options
hashicorp · Jan 22, 2025 · 3149988 · 3149988
1 parent 13c445b
commit 3149988
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/website/content/api-docs/auth/saml.mdx b/website/content/api-docs/auth/saml.mdx
@@ -51,6 +51,14 @@ Configures the auth method with a SAML identity provider.
   according to the current logging level. When `verbose_logging` is `true`,
   debug-level logs provide user attributes and trace-level logs provide the full
   SAML response.
+- `validate_response_signature` `(bool, false)` - Enables validation of signature
+  for at least response in the SAML response. If your IDP allows signing both response
+  and assertion, then recommendation is to opt in for validating signatures of both
+  by enabling both options.
+- `validate_assertion_signature` `(bool, false)` - Enables validation of signature
+  for at least assertion in the SAML response. If your IDP allows signing both response
+  and assertion, then recommendation is to opt in for validating signatures of both
+  by enabling both options.
 
 ### Sample payload
 
@@ -106,6 +114,8 @@ $ curl \
     "default_role": "admin",
     "entity_id": "https://my.vault/v1/auth/saml",
     "idp_metadata_url": "https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata"
+    "validate_assertion_signature" : false,
+    "validate_response_signature" : false
   },
   "warnings": null
 }

diff --git a/website/content/docs/auth/saml/index.mdx b/website/content/docs/auth/saml/index.mdx
@@ -92,6 +92,11 @@ management tool.
       entity_id="https://my.vault/v1/auth/saml" \
       acs_urls="https://my.vault/v1/auth/saml/callback"
    ```
+<Note>
+  The config has boolean options to validate the SAML response signature, as `validate_response_signature` and
+  `validate_assertion_signature`. By default, it's validated that at least one out of response or assertion is signed.
+  If your IDP allows signing both then the recommended secure approach is to enable both the options.
+</Note>
 
 1. Create a named role:
 
@@ -190,4 +195,4 @@ You can read more at the Microsoft identity platform's
 ## API
 
 The SAML authentication plugin has a full HTTP API. Refer to the
-[SAML API documentation](/vault/api-docs/auth/saml) for more details.
+[SAML API documentation](/vault/api-docs/auth/saml) for more details.