SAML request signing and response encryption: are your controls keeping up?

TL;DR: SAML request signing and response encryption protect SSO message integrity, authenticity, and confidentiality when authentication traffic crosses proxies, load balancers, or internet paths, according to WorkOS. The control problem is not just cryptography, but certificate lifecycle discipline and trust assumptions that fail when metadata falls out of sync.

NHIMG editorial — based on content published by WorkOS: Understanding SAML Request Signing and Response Encryption

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams decide when to use SAML request signing?

A: Use request signing whenever the IdP supports it, especially if authentication traffic passes through proxies, reverse gateways, or any layer that can alter the request.

Q: Why do SAML integrations still fail even when HTTPS is enabled?

A: HTTPS protects the transport channel, but SAML failures often come from certificate mismatch, stale metadata, clock skew, or unsigned and unencrypted message content.

Q: How can teams reduce the risk of SAML certificate rotation outages?

A: Treat certificate rotation as a controlled trust change, not a maintenance task.

Practitioner guidance

• Separate signing and encryption keys Use distinct certificate pairs for request signing and response encryption so a compromise or rotation event does not force both trust paths to change at once.
• Enforce certificate expiry monitoring Alert well before certificate expiration, because stale metadata can cause invalid signatures or decrypt failures that look like application bugs.
• Require metadata refresh during rotation Keep old and new certificates trusted at the same time until both sides have refreshed metadata and validated the new trust chain.

What's in the full article

WorkOS's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step SAML flow diagrams showing where signing and encryption are applied in the request-response cycle
• Implementation specifics for signing outbound authentication requests and decrypting encrypted assertions
• Certificate handling guidance for overlap periods, metadata refresh, and key pair separation
• Platform-level notes on how the SAML implementation handles validation and decryption in practice

👉 Read WorkOS's guide to SAML request signing and response encryption →

SAML request signing and response encryption: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →