I am working with a componentSpace dll that doesn’t seem to allow the assertion to be signed and encrypted at the same time.
creating an encrypted assertion is done by instantiating a new EncryptedAssertion class that takes a Saml Assertion object.
however signing is done via the SAMLAssertionSignature.Generate(… which takes an xmlElement.
so I assume if both are allow , I will have to sign it first and then encrypt it… and I don’t see how that can happen, since converting the signed xmlElement to a SAMLAssertion will mess up the signature and won’t be verified properly.
Thanks
Tareq
Hi Tareq
We do support signed and encrypted SAML assertions.
If you use the SAML high-level API all this is done by the API and your application doesn’t have to worry about the details.
If you use the SAML low-level API, the sequence is:
1. Create the SAMLAssertion object.
2. Serialize it to XML by calling SAMLAssertion.ToXml().
3. Sign the SAML assertion XML by calling SAMLAssertionSignature.Generate().
4. Encrypt the signed SAML assertion by invoking one of the EncryptedAssertion constructors that takes an XmlElement and AsymmetricAlgorithm or X509Certificate2.
For example:
var encryptedAssertion = new EncryptedAssertion(samlAssertionXml, spX509Certificate);
However, I would recommend using the high-level API which handles this for you.
[quote][/quote]
Hi Tareq
We do support signed and encrypted SAML assertions.
If you use the SAML high-level API all this is done by the API and your application doesn't have to worry about the details.
If you use the SAML low-level API, the sequence is:
1. Create the SAMLAssertion object.
2. Serialize it to XML by calling SAMLAssertion.ToXml().
3. Sign the SAML assertion XML by calling SAMLAssertionSignature.Generate().
4. Encrypt the signed SAML assertion by invoking one of the EncryptedAssertion constructors that takes an XmlElement and AsymmetricAlgorithm or X509Certificate2.
For example:
var encryptedAssertion = new EncryptedAssertion(samlAssertionXml, spX509Certificate);
However, I would recommend using the high-level API which handles this for you.
We do support signed and encrypted SAML assertions.
If you use the SAML high-level API all this is done by the API and your application doesn't have to worry about the details.
If you use the SAML low-level API, the sequence is:
1. Create the SAMLAssertion object.
2. Serialize it to XML by calling SAMLAssertion.ToXml().
3. Sign the SAML assertion XML by calling SAMLAssertionSignature.Generate().
4. Encrypt the signed SAML assertion by invoking one of the EncryptedAssertion constructors that takes an XmlElement and AsymmetricAlgorithm or X509Certificate2.
For example:
var encryptedAssertion = new EncryptedAssertion(samlAssertionXml, spX509Certificate);
However, I would recommend using the high-level API which handles this for you.
Thanks for replying...
the ComponentSpace I am using doesn't provide an overloaded EncryptedAssertion constructor that takes an xml element.
there are 4 overloads, and all of them accept only a SAMLAssertion object along with the rest cryptography fields..
would you please share with me the steps of using the high-level API to accomplish this ?
Thank you.
Tareq
What version of the ComponentSpace.SAML2 DLL do you have?
http://www.componentspace.com/Forums/31/Determining-the-Component-Version-and-License
[quote][/quote]
What version of the ComponentSpace.SAML2 DLL do you have?
http://www.componentspace.com/Forums/31/Determining-the-Component-Version-and-License
http://www.componentspace.com/Forums/31/Determining-the-Component-Version-and-License
I apologize for the confusion,
The dll I use does indeed have a few overloaded constructors that take an XmlElement assertion.
so in this case , I assume that upon consuming the saml response, if the assertion is encrypted and signed, I will have to decrypt it first and then verify the signature.
correct?
That’s correct.