Decrypting an EncryptedID

BrianJ · October 19, 2023, 12:10pm

Hi,
I need a way to get nameId from the EncryptedID element as the provider can’t encrypt the assertion or won’t for some reason.
Could you give me some code to get this done with the ASP.Net version?
Thanks,
Brian

ComponentSpace · October 19, 2023, 4:07pm

Hi Brian,

The SAML high-level API automatically decrypts SAML assertions but not IDs. You would need to use the EncryptedID class under the ComponentSpace.SAML2.Assertions namespace to perform the decryption.

EncryptedID encryptedID = new EncryptedID(xmlElement);
NameID nameID = encryptedID.Decrypt(x509Certificate, null, null);

However, I’m not sure why anyone would encrypt the ID rather than just encrypting the SAML assertion. If a provider can encrypt the ID they should be able to encrypt the assertion. There’s no real performance cost in doing this either.

BrianJ · October 20, 2023, 6:58am

[quote]

ComponentSpace - 10/19/2023

Hi Brian,

The SAML high-level API automatically decrypts SAML assertions but not IDs. You would need to use the EncryptedID class under the ComponentSpace.SAML2.Assertions namespace to perform the decryption.

EncryptedID encryptedID = new EncryptedID(xmlElement);
NameID nameID = encryptedID.Decrypt(x509Certificate, null, null);

However, I'm not sure why anyone would encrypt the ID rather than just encrypting the SAML assertion. If a provider can encrypt the ID they should be able to encrypt the assertion. There's no real performance cost in doing this either.

[/quote]

Thanks, yes its weird and we don't control the assertion. I've asked them to just encrypt the whole assertion but for some reason they won't.

ComponentSpace · October 20, 2023, 1:02pm

Usually this type of thing is a mutual decision between the IdP and SP. It’s an odd decision by them.