Type: Technical Task
Affects Version/s: None
Fix Version/s: None
Component/s: Application Security > SAML
Sprint:AS | Iteration 12, AS | Iteration 13, AS | Iteration 14, AS | Iteration 15
In order for IdP to be able to encrypt the assertion, the SP must publish a X.509 certificate in its metadata specifying the usage as encryption:
Currently only RSA keys are supported for encryption.
the IdP will then generate a key to encrypt the assertion. The SP can also influence which algorithm is used to generate the key by advertising different supported algorithms:
in this example aes128-cbc will be used to generate the symmetric key to encrypt the assertion.
The generated key used to encrypt the message will be itself encrypted and sent together with the message. The key transport algorithm used is rsa-oaep-mgf1p.
If the node is configured as SP the administrator can create two different certificates, one for signing the messages and one for encrypting assertions. Once the encryption certificate is created on the SP the generated metadata will include this certificate to be used for encryption.
The encryption certificate is stored using an alias formed by entityId plus -encryption suffix.
When creating the connection to the SP, the administrator can configure that the connection must negotiate encryption parameters succesfully. If the encryption forced option is not checked, and encryption parameters can't be negotiated succesfully, the assertion will be sent unencrypted. If the option is checked then the response won't be sent.