• Type: Technical Task
    • Status: Closed
    • Priority: Minor
    • Resolution: Completed
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
    • Sprint:
      AS | Iteration 12, AS | Iteration 13, AS | Iteration 14, AS | Iteration 15


      Released in Liferay Connector to SAML 2.0

      • 5.0.0+ for DXP 7.2
      • 4.1.0+ for DXP 7.1

      Assertion Encryption

      In order for IdP to be able to encrypt the assertion, the SP must publish a X.509 certificate in its metadata specifying the usage as encryption:

      <md:KeyDescriptor use="encryption">
        <ds:KeyInfo xmlns:ds="">
            <ds:X509Certificate>omit certificate data</ds:X509Certificate>

      Currently only RSA keys are supported for encryption.

      the IdP will then generate a key to encrypt the assertion. The SP can also influence which algorithm is used to generate the key by advertising different supported algorithms:

      <md:KeyDescriptor use="encryption">
        <ds:KeyInfo xmlns:ds="">
            <ds:X509Certificate>omit certificate data</ds:X509Certificate>
      <md:EncryptionMethod Algorithm=""/>

      in this example aes128-cbc will be used to generate the symmetric key to encrypt the assertion.

      The generated key used to encrypt the message will be itself encrypted and sent together with the message. The key transport algorithm used is rsa-oaep-mgf1p.

      Enabling encryption on the SP

      If the node is configured as SP the administrator can create two different certificates, one for signing the messages and one for encrypting assertions. Once the encryption certificate is created on the SP the generated metadata will include this certificate to be used for encryption.

      The encryption certificate is stored using an alias formed by entityId plus -encryption suffix.

      Forcing encryption on the IdP

      When creating the connection to the SP, the administrator can configure that the connection must negotiate encryption parameters succesfully. If the encryption forced option is not checked, and encryption parameters can't be negotiated succesfully, the assertion will be sent unencrypted. If the option is checked then the response won't be sent.





            carlos.sierra Carlos Sierra
            stian.sigvartsen Stian Sigvartsen
            Recent user:
            Nóra Szél
            Participants of an Issue:
            0 Vote for this issue
            1 Start watching this issue


              Days since last comment:
              2 years, 6 weeks, 4 days ago


                Version Package