Hi
I have a ASP.NET MVC IDP site and multiple ASP.NET MVC SP sites. The SSO is being processed under SSL.
When I am setting up the IDP SAML configuration, I see inside the PartnerServiceProvider, there is an attribute of “EncryptAssertion”.
I would like to ask some questions.
1. Is it required to encrypted the Assertion in IDP SSO Response?
2. What is the benefit of encrypting the Assertion?
3. I have attached the a file with sample non-encrypted SAML Response. What parts of SAML Response are being encrypted when “EncryptAssertion” is set to true?
- Encrypting the SAML assertion is optional. In most situations it isn’t encrypted and privacy is provided at the transport layer using HTTPS.
2. It’s an extra level of security that’s enabled if the SAML assertion contains particularly sensitive user information or the environment dictates the need. HTTPS should always be used so SAML assertion encryption is on top of the security provided at the transport layer. If there are intermediate network nodes, the HTTPS traffic may be decrypted. The SAML assertion will remain encrypted from IdP through to SP regardless of any intermediate network nodes.
3. Instead of the node there’s an Node.
[quote][/quote]
1. Encrypting the SAML assertion is optional. In most situations it isn't encrypted and privacy is provided at the transport layer using HTTPS.
2. It's an extra level of security that's enabled if the SAML assertion contains particularly sensitive user information or the environment dictates the need. HTTPS should always be used so SAML assertion encryption is on top of the security provided at the transport layer. If there are intermediate network nodes, the HTTPS traffic may be decrypted. The SAML assertion will remain encrypted from IdP through to SP regardless of any intermediate network nodes.
3. Instead of the node there's an Node.
2. It's an extra level of security that's enabled if the SAML assertion contains particularly sensitive user information or the environment dictates the need. HTTPS should always be used so SAML assertion encryption is on top of the security provided at the transport layer. If there are intermediate network nodes, the HTTPS traffic may be decrypted. The SAML assertion will remain encrypted from IdP through to SP regardless of any intermediate network nodes.
3. Instead of the node there's an Node.
Thank you very much.
Is IDP using the SP's certificate to encrypt the Assertion?
[quote][/quote]
1. Encrypting the SAML assertion is optional. In most situations it isn't encrypted and privacy is provided at the transport layer using HTTPS.
2. It's an extra level of security that's enabled if the SAML assertion contains particularly sensitive user information or the environment dictates the need. HTTPS should always be used so SAML assertion encryption is on top of the security provided at the transport layer. If there are intermediate network nodes, the HTTPS traffic may be decrypted. The SAML assertion will remain encrypted from IdP through to SP regardless of any intermediate network nodes.
3. Instead of the node there's an Node.
2. It's an extra level of security that's enabled if the SAML assertion contains particularly sensitive user information or the environment dictates the need. HTTPS should always be used so SAML assertion encryption is on top of the security provided at the transport layer. If there are intermediate network nodes, the HTTPS traffic may be decrypted. The SAML assertion will remain encrypted from IdP through to SP regardless of any intermediate network nodes.
3. Instead of the node there's an Node.
Thank you very much.
Is IDP using the SP's certificate to encrypt the Assertion?[/quote]
I got the answer in ComponentSpace samlv2developer-guide.pdf. It is encrypting with the SP's certificate.
That’s correct.
The IdP encrypts the SAML assertion with a random symmetric key which in turn is encrypted with the SP’s public key.
The SP uses its private key to decrypt the symmetric key which in turn is used to decrypt the SAML assertion.
This ensures that only the SP can decrypt the SAML assertion.