Is it necessary to verify SAMLresponses from OKTA in application?

After getting SAMLresponses from OKTA, in order to prevent SAMLresponses from being tampered with, is it necessary to verify it in the application? For example, whether the certificate is expires ,the verification of assertion ,and so on.

Hi @zhaoqs

Yes, it’s required to verify SAML responses in order to prevent assertion tampering and creating invalid sessions or sessions with, for example, super administrator access by malicious actors.