SAML Signature Verification and Code Compatibility

playarun93 · September 24, 2025, 4:56pm

I have a couple of questions and would appreciate your inputs

In the context of a SOAP proxy(WS-Security), Can we use validate SAML assertion policy to verify an X.509 signature, or do we need to rely on a Java callout with JAR files for this like discussed below. GitHub - DinoChiesa/Apigee-Java-WsSec-Signature-2: 2nd implementation of a Java callout that performs WS-Security Signing and Validating
Is the code shared in Git applicable for both the hybrid and on-premise versions?

Thanks in advance for your help! @dchiesa1

dchiesa1 · September 24, 2025, 10:05pm

There is a built-in ValidateSAMLAssertion policy that is most often used with SAML soap messages.

It should work.
You do not need to rely on the Java callout for signature validation. The Java callout is a little more flexible , I’d say.

Topic		Replies	Views
Validate SAML >>1.0<< assertion? Apigee api-runtime	5	13	May 27, 2024
Verify Saml using Java Callout Apigee apigee-general , api-security	4	21	January 19, 2023
How do i verify & validate Base64 encoded SAML in Apigee in IDP initiated Flow Apigee apigee-general	12	93	February 20, 2022