One of our requirement is to first sign and then encrypt SAML Assertion. we are singing by our private key and then encrypting it using client public key, using the following component space method.
EncryptedAssertion(XmlElement samlAssertion, X509Certificate2 x509Certificate, EncryptionMethod keyEncryptionMethod, EncryptionMethod dataEncryptionMethod);
For both key encryption and data encryption methods we are using EncryptedXml.XmlEncAES128Url algorithm.
But the generated encrypted assertion in SAML response contain the following portion,
************************
can it please be explain, is this portion also encrypted, it will not be included in portion like CipherData?
when we encrypt sign assertion then the signature also encrypting?
Thanks & Regards,
Sam
The following is an example of an .
The is the certificate/public key of the service provider used to encrypt the randomly generated symmetric key that’s used to encrypt the actual data (ie the SAML assertion).
The service provider will use the private key associated with this certificate to decrypt the . This is the randomly generated symmetric key.
It will then use the symmetric key to decrypt the /.
The is the service provider’s certificate.
It’s not the identity provider’s certificate and has nothing to do with the XML signature over the SAML assertion.
The X.509 certificate that’s part of the XML signature will be included in the //.
So it means that X509Data block contain client certificate/public key which they have provided to us for encrypting assertion.
while we are encrypting with client’s public key, we must encrypt with a key size no larger than 128 bits.
so for both key encryption and data encryption methods, we are using EncryptedXml.XmlEncAES128Url algorithm. Is it the right on?
Thanks,
The http://www.w3.org/2001/04/xmlenc#rsa-1_5 algorithm is used to encrypt the randomly generated symmetric key using the service provider’s public key.
The http://www.w3.org/2001/04/xmlenc#aes128-cbc algorithm is used to encrypt the SAML assertion using the randomly generated symmetric key.
The http://www.w3.org/2001/04/xmlenc#aes128-cbc algorithm uses a 128-bit key.
One of the other requirement is SAML Response Data should be Base64 encoded with no line breaks.
For sending Response we are using the following method from component space,
public static void SendSAMLResponseByHTTPPost(HttpResponse httpResponse, string spURL, XmlElement samlResponse, string relayState);
Here my question, is this method converting SAML Response Data to Base64 encoded with no line breaks? If No, how we can do using component space dll.
we have provided only one URL, so we sending the same URL in both spURL and relayState parameters. Is this correct?
what is the difference between spURL and relayState parameters.
Thanks,
We don’t include line breaks. You could use something like Fiddler and capture the HTTP traffic to confirm this.
The spURL and relayState parameters should not be the same.
The spURL is the URL where the SAML response will be sent. This is the service provider’s assertion consumer service.
In IdP-initiated SSO, the relayState is the optional URL to which the SP should redirect to once SSO completes. This supports accessing a particular page rather than the default page of the SP as part of SSO.
As we have one SSO URL to which SAML response will be sent, so in the following component space method we will have to pass it in spURL parameter and keep relayState parameter empty. Is it correct?
public static void SendSAMLResponseByHTTPPost(HttpResponse httpResponse, string spURL, XmlElement samlResponse, string relayState);
While sending SAML response to SP, above mention component space method converting it to Base 64 encoded string?
Thanks,
You must specify the spURL parameter. This is the service provider’s assertion consumer service which will receive and process the SAML response.
The relayState is optional. If you specify null then the service provider will most likely redirect to its home/default page after completing SSO. IF you do specify a relayState then the service provider is supposed to redirect to this URL once SSO completes.
The SendSAMLResponseByHTTPPost method performs all necessary encoding etc including base-64 encoding.
When we first sign SAML Assertion using our private key and then encrypt SAML Assertion using SP public key.
For both key encryption and data encryption methods, we are using the EncryptedXml.XmlEncAES128Url algorithm.
Then our generated SAML EncryptedAssertion looks like,
<saml:EncryptedAssertion xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>
<EncryptedData Type=“<a href=“http://www.w3.org/2001/04/xmlenc#Element””>http://www.w3.org/2001/04/xmlenc#Element" xmlns=“”>http://www.w3.org/2001/04/xmlenc#“>
<EncryptionMethod Algorithm=”<a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc”“>http://www.w3.org/2001/04/xmlenc#aes128-cbc” />
<KeyInfo xmlns=“”>http://www.w3.org/2000/09/xmldsig#“>
<EncryptedKey xmlns=”“>http://www.w3.org/2001/04/xmlenc#”>
<EncryptionMethod Algorithm=“<a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5"”>http://www.w3.org/2001/04/xmlenc#rsa-1_5” />
<KeyInfo xmlns=“”>http://www.w3.org/2000/09/xmldsig#">
</saml:EncryptedAssertion>
I just want to confirm/double check that the following block in SAML EncryptedAssertion are service provider’s
certificate/public key.
**********************
and this block not causing any issue in EncryptedAssertion.
As we first sign then encrypt, so in which block in above mention SAML EncryptedAssertion our signature exists?
Thanks,
Yes, that’s correct. That’s the service provider’s certificate in the under the .
The signed SAML assertion including the identity provider’s certificate is in the // section.
Can anybody tell me how to decrypt this type of data.
I am able to decode and validate the signature.
Now can anyone guide me how to decrypt the whole saml:EncryptedAssertion
its urgent
I’m assuming you’re using the SAML high-level API.
When you call SAMLServiceProvider.ReceiveSSO, it will decrypt the SAML assertion automatically.
There’s nothing you need to do in your code.
It will use the local service provider’s private key specified in your SAML configuration to perform the decryption.
For example, that’s the LocalCertificateFile in a saml.config file.
To only accept an encrypted assertion, your set WantAssertionEncrypted to true.