Encrypted NameId how to decrypt

I am trying to integrate with an Idp and they are sending over an encrypted nameId. It is not something that can be changed, I see options to decrypt the assertions but not the nameid. I am using the high level api, I’ve seen where this can be done using the core version but I haven’t been able to find anything reference the regular asp.net version.

In both the SAML for ASP.NET and SAML for ASP.NET Core products, we support encrypting the NameID included in the SAML logout request. However, neither product supports decrypting the NameID in the SAML assertion.

It’s extremely rare to see the NameID or SAML attributes encrypted. Instead, it’s much more common and makes more sense to encrypt the entire SAML assertion if more privacy beyond that provided by the transport layer security is required.

Is there any possibility the IdP can encrypt the SAML assertion rather than just the NameID?

[quote]
ComponentSpace - 12/8/2021
In both the SAML for ASP.NET and SAML for ASP.NET Core products, we support encrypting the NameID included in the SAML logout request. However, neither product supports decrypting the NameID in the SAML assertion.

It's extremely rare to see the NameID or SAML attributes encrypted. Instead, it's much more common and makes more sense to encrypt the entire SAML assertion if more privacy beyond that provided by the transport layer security is required.

Is there any possibility the IdP can encrypt the SAML assertion rather than just the NameID?

[/quote]




Well then I won the lottery, it’s not possible for them to change encrypting the nameid, tried that first. I saw a post in the core forum that had a code snippet to decrypt it, but I’m just not sure how to do that using the asp.net libraries.

Please contact support@componentspace.com. We might be able to add support in a beta.

To check exactly what you would like supported, please enable SAML trace and include the log file as an email attachment showing the encrypted Name ID.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

[quote]
ComponentSpace - 12/8/2021
Please contact support@componentspace.com. We might be able to add support in a beta.

To check exactly what you would like supported, please enable SAML trace and include the log file as an email attachment showing the encrypted Name ID.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
[/quote]

For reference this last post is what I would like to do, but just in asp.net

https://www.componentspace.com/Forums/11218/Processing-decrypting-an-Assertion-containing-an-EncryptedID-element-someone-had-experience-example-?JumpToFirstUnreadPost=1

That link shows code that’s part of the low-level API.

I’m assuming that when you call the high-level API, SAMLServiceProvider.ReceiveSSO, you’d like this to automatically decrypt the encrypted Name ID.

Is that correct?

Please contact us by email and include a log file showing the encrypted Name ID in the SAML response.

Thanks.