# Importance of validating signatures in SAML In SAML (Security Assertion Markup Language), validating signatures is a critical security measure to ensure the integrity and authenticity of messages exchanged between the Identity Provider (IdP) and the Service Provider (SP). SAML assertions contain sensitive information, such as user authentication details, that must be protected from tampering or unauthorized access. Validating signatures ensures: * Integrity: The message has not been altered or modified during transmission. * Authenticity: The message originates from a trusted source, i.e., the identity provider. Without proper signature validation, attackers could intercept SAML assertions, modify them, and potentially gain unauthorized access to protected systems, posing a serious security risk. ## How to enable Signature Validation for SAML Identity Providers in Keycloak: 1. Login to the target Spark tenant. Access the *Keycloak console* from the [Navigation menu](/navigation/navigation-menu.md#user-menu). 2. Login in the Keycloak Admin Console using your admin credentials. 3. In the left-hand menu, go to *Identity Providers*. 4. Select the SAML identity provider you want to configure. 5. Scroll down to the *Signature and Encryption settings*. 6. Enable the option *Validate Signature*. 7. Enable the option *Metadata Descriptor URL*. By enabling signature validation in Keycloak, you ensure that SAML assertions are protected from tampering and unauthorized access, significantly enhancing the security of your SSO integration. By enabling Metadata Descriptor URL you allow Keycloak to automatically retrieve and keep the IdP configuration (certificates, endpoints, etc.) up to date from Entra ID. It reduces manual maintenance and prevents issues during certificate rotation. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.coherent.global/identity-and-access-management/single-sign-on/importance-of-validating-signatures-in-saml.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.