Hi
I am doing SSO integration with one of my clients which is using Ping Identity as their SSO provider service. https://www.pingidentity.com/en.html
My website is the IDP, My client is the SP.
On my end, in the configuration of PartnerServiceProvider, I set up the following configuration:
<PartnerServiceProvider Name=“my client”
Description=“my client Service Provider”
WantAuthnRequestSigned=“true”
EncryptAssertion=“true”
SignAssertion=“true”
SignLogoutRequest=“true”
SignLogoutResponse=“true”
SignSAMLResponse=“true”
AssertionConsumerServiceUrl=“https://my client”
DataEncryptionMethod=“<a href=“http://www.w3.org/2001/04/xmlenc#aes256-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes256-cbc”“>http://www.w3.org/2001/04/xmlenc#aes256-cbc”
KeyEncryptionMethod=“<a href=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”“>http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”
PartnerCertificateFile=“cer”/>
The IDP site is sending the SAML Response with encrypted Assertion to the Ping Identity service of the SP. I have attached the SampleSAMLResponseWithEncryptedAssertion.xml.
However, the Ping Identity cannot decrypted with the private key of their certificate and password.
I would like to confirm if the format of the SAML Response with encrypted Assertion is the standard format that other party should understand. So that I can reply to Ping Identity support to check if they cannot understand the SAML Response with encrypted Assertion the we sent using ComponentSpace.
Thank you very much.
[quote][/quote]
jyao@acats.com - 5/30/2018
Hi
I am doing SSO integration with one of my clients which is using Ping Identity as their SSO provider service. https://www.pingidentity.com/en.html
My website is the IDP, My client is the SP.
On my end, in the configuration of PartnerServiceProvider, I set up the following configuration:
<PartnerServiceProvider Name="my client"
Description="my client Service Provider"
WantAuthnRequestSigned="true"
EncryptAssertion="true"
SignAssertion="true"
SignLogoutRequest="true"
SignLogoutResponse="true"
SignSAMLResponse="true"
AssertionConsumerServiceUrl="https://my client"
DataEncryptionMethod="http://www.w3.org/2001/04/xmlenc#aes256-cbc"
KeyEncryptionMethod="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
PartnerCertificateFile="cer"/>
The IDP site is sending the SAML Response with encrypted Assertion to the Ping Identity service of the SP. I have attached the SampleSAMLResponseWithEncryptedAssertion.xml.
However, the Ping Identity cannot decrypted with the private key of their certificate and password.
I would like to confirm if the format of the SAML Response with encrypted Assertion is the standard format that other party should understand. So that I can reply to Ping Identity support to check if they cannot understand the SAML Response with encrypted Assertion the we sent using ComponentSpace.
Thank you very much.
I am doing SSO integration with one of my clients which is using Ping Identity as their SSO provider service. https://www.pingidentity.com/en.html
My website is the IDP, My client is the SP.
On my end, in the configuration of PartnerServiceProvider, I set up the following configuration:
<PartnerServiceProvider Name="my client"
Description="my client Service Provider"
WantAuthnRequestSigned="true"
EncryptAssertion="true"
SignAssertion="true"
SignLogoutRequest="true"
SignLogoutResponse="true"
SignSAMLResponse="true"
AssertionConsumerServiceUrl="https://my client"
DataEncryptionMethod="http://www.w3.org/2001/04/xmlenc#aes256-cbc"
KeyEncryptionMethod="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
PartnerCertificateFile="cer"/>
The IDP site is sending the SAML Response with encrypted Assertion to the Ping Identity service of the SP. I have attached the SampleSAMLResponseWithEncryptedAssertion.xml.
However, the Ping Identity cannot decrypted with the private key of their certificate and password.
I would like to confirm if the format of the SAML Response with encrypted Assertion is the standard format that other party should understand. So that I can reply to Ping Identity support to check if they cannot understand the SAML Response with encrypted Assertion the we sent using ComponentSpace.
Thank you very much.
We have found out that if we change DataEncryptionMethod to "aes128-cbc". It starts working.
I think Ping Identity does not support "aes256-cbc" data encryption method.
Thanks for the information.