Important to sign SAML Assertions: A SAML authentication assertion is granted as a prrof of an authentication event. Generally, an end-user will authenticate to an intermediate parties, who generates a SAML authentication asseretion to prove that it has verified the user. The intermediary will generally sign the assertion as a proof and to assure the integrity of the assertion. So, it is important to sign SAML Assertion. Not important to sign OAuth Accesss Tokens: OAuth2 generally use bearer tokens that means without sign in API request. So, the compramise of protected API service allow an attacker to observe the access tokens received from clients. An OAuth grant may provide an application access to several different API\'s for a user, such as the user\'s contacts and the user\'s calenders. This would allow attacker access to not only the included services but also the other services. Having only limited access tokens accessible to API services the potential impact of an attack. Solution Important to sign SAML Assertions: A SAML authentication assertion is granted as a prrof of an authentication event. Generally, an end-user will authenticate to an intermediate parties, who generates a SAML authentication asseretion to prove that it has verified the user. The intermediary will generally sign the assertion as a proof and to assure the integrity of the assertion. So, it is important to sign SAML Assertion. Not important to sign OAuth Accesss Tokens: OAuth2 generally use bearer tokens that means without sign in API request. So, the compramise of protected API service allow an attacker to observe the access tokens received from clients. An OAuth grant may provide an application access to several different API\'s for a user, such as the user\'s contacts and the user\'s calenders. This would allow attacker access to not only the included services but also the other services. Having only limited access tokens accessible to API services the potential impact of an attack..