Details

    • Type: Technical Task
    • Status: Closed
    • Priority: Minor
    • Resolution: Completed
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None
    • Sprint:
      AS | Iteration 12, AS | Iteration 13, AS | Iteration 14, AS | Iteration 15

      Description

      Assertion Encryption

      In order for IdP to be able to encrypt the assertion, the SP must publish a X.509 certificate in its metadata specifying the usage as encryption:

      <md:KeyDescriptor use="encryption">
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:X509Data>
            <ds:X509Certificate>omit certificate data</ds:X509Certificate>
          </ds:X509Data>
        </ds:KeyInfo>
      </md:KeyDescriptor>
      

      Currently only RSA keys are supported for encryption.

      the IdP will then generate a key to encrypt the assertion. The SP can also influence which algorithm is used to generate the key by advertising different supported algorithms:

      <md:KeyDescriptor use="encryption">
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:X509Data>
            <ds:X509Certificate>omit certificate data</ds:X509Certificate>
          </ds:X509Data>
        </ds:KeyInfo>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      </md:KeyDescriptor>
      

      in this example aes128-cbc will be used to generate the symmetric key to encrypt the assertion.

      The generated key used to encrypt the message will be itself encrypted and sent together with the message. The key transport algorithm used is rsa-oaep-mgf1p.

      Enabling encryption on the SP

      If the node is configured as SP the administrator can create two different certificates, one for signing the messages and one for encrypting assertions. Once the encryption certificate is created on the SP the generated metadata will include this certificate to be used for encryption.

      The encryption certificate is stored using an alias formed by entityId plus -encryption suffix.

      Forcing encryption on the IdP

      When creating the connection to the SP, the administrator can configure that the connection must negotiate encryption parameters succesfully. If the encryption forced option is not checked, and encryption parameters can't be negotiated succesfully, the assertion will be sent unencrypted. If the option is checked then the response won't be sent.

       

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                31 weeks, 1 day ago

                Packages

                Version Package