Encrypted attributes in HighLevel api SSO

alex · March 19, 2015, 8:30pm

Is that possible to use Encrypted attributes in HighLeve api?
SAMLIdentityProvider.InitiateSSO seems to only accept SAMLAttribute not EncryptedAttribute.

Thank you

ComponentSpace · March 20, 2015, 1:11am

Our low-level API supports encrypted SAML attributes but we didn’t expose this functionality in the high-level API.
From our experience, if you are going to encrypt one or more SAML attributes then you might as well encrypt the entire SAML assertion.
The expensive part of XML encryption is encrypting the random symmetric key using the asymmetric key. The encryption of the data using the symmetric key is a less expensive operation and the length of the data (SAML attribute vs SAML assertion) doesn’t make a significant difference in the overall time.
If there’s a specific use case where you have to encrypt SAML attributes rather than the SAML assertion please let us know the circumstances.

alex · March 20, 2015, 3:06am

Thank you for quick reply,
we are integration with 3rd party application, doc for that apps says:
1. Before signing the SAML response, the Yodlee attributes have to be encrypted.
2. The encryption is done by generating a temporary symmetric key.
 Temporary Key Algorithm - AES
 Temporary Key Size - 128
 Temporary Key Transformation (one of these two):
 AES/ECB/NoPadding
 AES/CBC/PSK6
3. Using this generated temporary key, encrypt the Yodlee attributes.
4. The encrypted text should be encoded with Base64 encoding.
5. The temporary key should be wrapped/encrypted with the Yodlee public key using the
following:
 Wrapping Key Algorithm - RSA
 Wrapping Key Transaction - RSA/ECB/PKCS1Padding
6. The wrapped key should be encoded with Base64 encoding.
7. Then, the encoded key and encoded text should be sent along with the response in
the format of: :

so we don’t have much choice here.

ComponentSpace · March 20, 2015, 6:01pm

I would double check with the service provider that they definitely want the individual SAML attributes encrypted rather than the entire SAML assertion.
It seems odd to encrypt individual attributes rather than the assertion and I suspect it will also be more expensive.
If they don’t support an encrypted SAML assertion then there’s always the option of using our low-level API.
However, please let me know once you’ve spoken to the service provider to confirm whether or not they support encrypted assertions.