Sequence for Signing and Encrypting SAML Assertions

Problem statement

If Auth0 is configured to both sign and encrypt a SAML assertion, in what order does Auth0 perform the sequence?

Solution

Auth0 signs then encrypts the assertion. Encryption makes sure the recipient is the only one with access to the content and after decryption, the recipient can validate the signature to confirm the origin.

Related References: