fix(saml): support Azure SAML 'Sign assertion only' configuration

[devin-ai-integration]

Context

Fixes SAML authentication failures for Azure AD/Entra ID customers who have their SAML signing option configured to "Sign SAML assertion" (rather than "Sign SAML response and assertion").

Before: Customers using Azure SAML with "Sign SAML assertion" only would receive Invalid document signature errors because node-saml expected the SAML response envelope to be signed.

After: Both "Sign SAML assertion" and "Sign SAML response and assertion" configurations work correctly.

This is consistent with how JumpCloud SAML is already handled in the codebase (line 82), which also sets wantAuthnResponseSigned = false.

Steps to verify the change

1. Configure Azure AD/Entra ID SAML SSO with signing option set to "Sign SAML assertion"
2. Attempt to log in via SAML SSO
3. Verify authentication succeeds without "Invalid document signature" error

Human Review Checklist

• Verify that setting wantAuthnResponseSigned = false still validates the assertion signature (the assertion contains the user identity claims and is the security-critical part)
• Confirm this change is backward compatible with existing Azure SAML configurations using "Sign SAML response and assertion"

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format
• Tested locally
• Updated docs (if needed) - N/A, no docs changes needed
• Read the contributing guide

---

Link to Devin run: https://app.devin.ai/sessions/1a3839a54ee842979a623083011aa47f
Requested by: Vlad Matsiiako (@vmatsiiako)

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

Sets wantAuthnResponseSigned = false for Azure SAML to support Azure AD/Entra ID's "Sign SAML assertion" configuration option, mirroring the existing JumpCloud implementation.

Key changes:

• Allows Azure customers to use "Sign assertion only" signing option without receiving "Invalid document signature" errors
• Maintains backward compatibility with "Sign SAML response and assertion" configuration
• Assertion signatures are still validated via node-saml's default behavior (security is maintained)
• Follows the pattern already established for JumpCloud SAML on line 82

The change is narrow in scope, well-documented with inline comments, and addresses a legitimate enterprise use case where Azure IdPs are configured to sign only the SAML assertion rather than the entire response envelope.

Confidence Score: 4/5

• This PR is safe to merge with minimal risk - it follows established patterns and maintains cryptographic validation
• The change mirrors the existing JumpCloud implementation (line 82), is well-documented with inline comments explaining the Azure SAML behavior, and maintains security by still validating assertion signatures. The only minor concern is the existing JSON.parse on line 90 lacks error handling (pre-existing issue, not introduced by this PR)
• No files require special attention - the change is a simple configuration flag addition

Important Files Changed

Filename	Overview
backend/src/ee/routes/v1/saml-router.ts	Added wantAuthnResponseSigned = false for Azure SAML to support 'Sign assertion only' configuration; mirrors JumpCloud implementation

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[carlosmonastyrski]

LGTM, reproduced the same issue without the wantAuthnResponseSigned property, and confirmed it'll work the same for both flows