From 6dbd88a5a4857c279aed681529b584e94b62cfa1 Mon Sep 17 00:00:00 2001
From: Josh Cummings <josh.cummings@gmail.com>
Date: Fri, 18 Feb 2022 11:41:29 -0700
Subject: [PATCH] Remove WantAssertionsSigned

WantAssertionsSigned requires that asserting parties sign the
assertions. This does not reflect how Spring Security actually
behaves, creating behavior mismatches.

Closes gh-10844
---
 .../provider/service/metadata/OpenSamlMetadataResolver.java  | 1 -
 .../service/metadata/OpenSamlMetadataResolverTests.java      | 5 ++---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolver.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolver.java
index 731b9c8cf8..739b4f75de 100644
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolver.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolver.java
@@ -81,7 +81,6 @@ public final class OpenSamlMetadataResolver implements Saml2MetadataResolver {
 	private SPSSODescriptor buildSpSsoDescriptor(RelyingPartyRegistration registration) {
 		SPSSODescriptor spSsoDescriptor = build(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
 		spSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
-		spSsoDescriptor.setWantAssertionsSigned(true);
 		spSsoDescriptor.getKeyDescriptors()
 				.addAll(buildKeys(registration.getSigningX509Credentials(), UsageType.SIGNING));
 		spSsoDescriptor.getKeyDescriptors()
diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolverTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolverTests.java
index f5e6e44560..f67cfcafc2 100644
--- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolverTests.java
+++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolverTests.java
@@ -37,8 +37,7 @@ public class OpenSamlMetadataResolverTests {
 		OpenSamlMetadataResolver openSamlMetadataResolver = new OpenSamlMetadataResolver();
 		String metadata = openSamlMetadataResolver.resolve(relyingPartyRegistration);
 		assertThat(metadata).contains("<EntityDescriptor").contains("entityID=\"rp-entity-id\"")
-				.contains("WantAssertionsSigned=\"true\"").contains("<md:KeyDescriptor use=\"signing\">")
-				.contains("<md:KeyDescriptor use=\"encryption\">")
+				.contains("<md:KeyDescriptor use=\"signing\">").contains("<md:KeyDescriptor use=\"encryption\">")
 				.contains("<ds:X509Certificate>MIICgTCCAeoCCQCuVzyqFgMSyDANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBh")
 				.contains("Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"")
 				.contains("Location=\"https://rp.example.org/acs\" index=\"1\"")
@@ -54,7 +53,7 @@ public class OpenSamlMetadataResolverTests {
 		OpenSamlMetadataResolver openSamlMetadataResolver = new OpenSamlMetadataResolver();
 		String metadata = openSamlMetadataResolver.resolve(relyingPartyRegistration);
 		assertThat(metadata).contains("<EntityDescriptor").contains("entityID=\"rp-entity-id\"")
-				.contains("WantAssertionsSigned=\"true\"").doesNotContain("<md:KeyDescriptor use=\"signing\">")
+				.doesNotContain("<md:KeyDescriptor use=\"signing\">")
 				.doesNotContain("<md:KeyDescriptor use=\"encryption\">")
 				.contains("Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"")
 				.contains("Location=\"https://rp.example.org/acs\" index=\"1\"")