Configure IdP to encrypt SAML assertions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Configure IdP to encrypt SAML assertions

Redmond Militante
We've been asked to configure our IdP to work with a new service provider - this SP requires that the IDP encrypt the SAML 2.0 authentication response using a certificate from a known Certificate Authority provided by the SP.  I've heard this is a capability of the IdP but have not been able to find documentation on how this is done.  Any pointers?

Thank you!

R.
Reply | Threaded
Open this post in threaded view
|

Re: Configure IdP to encrypt SAML assertions

Paul Hethmon
Re: [Shib-Users] Configure IdP to encrypt SAML assertions On 1/22/09 12:04 PM, "Redmond Militante" <rjm@...> wrote:

We've been asked to configure our IdP to work with a new service provider - this SP requires that the IDP encrypt the SAML 2.0 authentication response using a certificate from a known Certificate Authority provided by the SP.  I've heard this is a capability of the IdP but have not been able to find documentation on how this is done.  Any pointers?

The cert would be placed in the SP metadata as a <KeyDescriptor use=”encryption”> element. Then change the relying-party.xml config to tell Shib to encrypt the assertions.

Paul

-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----

Give a man a fire and he's warm for the day. But set fire to him and he's warm for the rest of his life.

 -- Terry Pratchett, Discworld

Reply | Threaded
Open this post in threaded view
|

Re: Configure IdP to encrypt SAML assertions

Brent Putman
In reply to this post by Redmond Militante


Redmond Militante wrote:
> We've been asked to configure our IdP to work with a new service provider - this SP requires that the IDP encrypt the SAML 2.0 authentication response using a certificate from a known Certificate Authority provided by the SP.

Minor correction, but you can't actually encrypt a SAML Response, only
the Assertion(s) that are contained within it.

Also, in the Shib 2.0 IdP, the default on a front-channel response is to
always encrypt the resulting assertion.  If it's not doing it now, it
must be because you changed the defaults.

As Paul said, the SP will need to publish it's encryption key/cert in
its metadata, or you'll need to add it in your copy if you're
maintaining it manually.


>  I've heard this is a capability of the IdP but have not been able to find documentation on how this is done.  Any pointers?
>  

Yep, that's documented here:

https://spaces.internet2.edu/display/SHIB2/IdPXMLSigEnc






Reply | Threaded
Open this post in threaded view
|

Re: Configure IdP to encrypt SAML assertions

Redmond Militante



I notice the IdP default relying party SAML2SSOProfile,
SAML2AttributeQueryProfile, SAML2ArtifactResolutionProfile is set to
encryptAssertions="conditional" and  encryptNameIds="conditional".  Does this
mean that, as long as there is no specific relying party overriding the
default, that assertions and NameIDs will be encrypted if the requesting SP
publishes a cert to be used for encryption in its metadata as a
<KeyDescriptor use=”encryption”> element?  It wasn't clear from the wiki
entry if a specific relying party for the SP was required with
Profiles set to encryptAssertions="always" and encryptNameIds="always".

R.

+++ Brent Putman <[hidden email]> [09/02/06 07:30]:

>
> >  I've heard this is a capability of the IdP but have not been able to find documentation on how this is done.  Any pointers?
> >  
>
> Yep, that's documented here:
>
> https://spaces.internet2.edu/display/SHIB2/IdPXMLSigEnc
>
>
>
>
>

--
Redmond Militante NSIT/NBS The University of Chicago
PGP Public Key: <http://home.uchicago.edu/~rjm/pubkey.asc>
Reply | Threaded
Open this post in threaded view
|

RE: Configure IdP to encrypt SAML assertions

Cantor, Scott E.
Redmond Militante wrote on 2009-05-14:
> I notice the IdP default relying party SAML2SSOProfile,
> SAML2AttributeQueryProfile, SAML2ArtifactResolutionProfile is set to
> encryptAssertions="conditional" and  encryptNameIds="conditional".  Does
> this mean that, as long as there is no specific relying party overriding
> the default, that assertions and NameIDs will be encrypted if the
> requesting SP publishes a cert to be used for encryption in its metadata
> as a <KeyDescriptor use=”encryption”> element?

No, it means that encryption will be done if a SAML binding that doesn't provide confidentiality is selected, and if no encryption key is available, it will fail the request. It will never just send the plaintext if it would otherwise be instructed to encrypt.

I think we changed the default on encryptNameIds, and if not, we really should. It's gratuitous to encrypt both, and that costs an extra RSA operation.

-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: Configure IdP to encrypt SAML assertions

Redmond Militante
In reply to this post by Redmond Militante
Thanks Scott.

+++ Scott Cantor <[hidden email]> [09/05/14 11:31]:

> Redmond Militante wrote on 2009-05-14:
> > I notice the IdP default relying party SAML2SSOProfile,
> > SAML2AttributeQueryProfile, SAML2ArtifactResolutionProfile is set to
> > encryptAssertions="conditional" and  encryptNameIds="conditional".  Does
> > this mean that, as long as there is no specific relying party overriding
> > the default, that assertions and NameIDs will be encrypted if the
> > requesting SP publishes a cert to be used for encryption in its metadata
> > as a <KeyDescriptor use=”encryption”> element?
>
> No, it means that encryption will be done if a SAML binding that doesn't provide confidentiality is selected, and if no encryption key is available, it will fail the request. It will never just send the plaintext if it would otherwise be instructed to encrypt.
>
> I think we changed the default on encryptNameIds, and if not, we really should. It's gratuitous to encrypt both, and that costs an extra RSA operation.
>
> -- Scott
>
>

--
Redmond Militante NSIT/NBS The University of Chicago
PGP Public Key: <http://home.uchicago.edu/~rjm/pubkey.asc>
Reply | Threaded
Open this post in threaded view
|

Re: Configure IdP to encrypt SAML assertions

Brent Putman


Redmond Militante wrote:
>> I think we changed the default on encryptNameIds, and if not, we really should. It's gratuitous to encrypt both, and that costs an extra RSA operation.
>>    


I appears a consensus was reached to do it in email in January, but
doesn't look like it ever happened nor is there a JIRA issue I can
find.  It's easy so I'll go ahead and do it right now so it doesn't get
missed.