Query about SAML 2.0 SSO for ASP.NET Library Compatibility with FIPS (Federal Information Processing Standard) 140-2

Could you please advise - Is the ComponentSpace library for ASP.NET SSO SAML 2.0 compliant with FIPS (Federal Information Processing Standard) 140-2 when Windows OS FIPS is enabled?

Does the SAML 2.0 .NET library support decrypting SAML assertions when the FIPS setting is enabled on the Windows operating system?


Yes, but this is dependent on the operating system and version of .NET framework.

The SAML library is FIPS agnostic. There’s nothing within the SAML library preventing the FIPS security policy being enabled in Windows. It’s the .NET framework and underlying operating system which determine whether to use a FIPS compliant cryptographic module or not.

If you’re using an up to date version of Windows server and .NET framework v4.8 or higher there shouldn’t be any issues.

I suggest enabling FIPS in your environment and confirming there are no issues.

[quote]
ComponentSpace - 10/17/2023
Yes, but this is dependent on the operating system and version of .NET framework.

The SAML library is FIPS agnostic. There's nothing within the SAML library preventing the FIPS security policy being enabled in Windows. It's the .NET framework and underlying operating system which determine whether to use a FIPS compliant cryptographic module or not.

If you're using an up to date version of Windows server and .NET framework v4.8 or higher there shouldn't be any issues.

I suggest enabling FIPS in your environment and confirming there are no issues.

[/quote]

Thank you for the information you provided. I have a specific question regarding the SAML library created by ComponentSpace. Can you please confirm whether the SAML library created by ComponentSpace employs FIPS-approved encryption and decryption algorithms for SAML assertions? It's important for our security compliance, and I would appreciate any insights you can provide on this matter. Thank you in advance !

I can confirm we support the XML encryption algorithms listed in the SAML specification and that these are FIPS approved.

The algorithms used for SAML assertion encryption/decryption are configurable but default to “<a href=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p””>http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" for the key encryption and “<a href=“http://www.w3.org/2001/04/xmlenc#aes256-cbc””>http://www.w3.org/2001/04/xmlenc#aes256-cbc" for the data encryption.


[quote]
ComponentSpace - 10/18/2023
I can confirm we support the XML encryption algorithms listed in the SAML specification and that these are FIPS approved.

The algorithms used for SAML assertion encryption/decryption are configurable but default to "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" for the key encryption and "http://www.w3.org/2001/04/xmlenc#aes256-cbc" for the data encryption.


[/quote]

Thank you for confirming the use of FIPS-approved encryption algorithms in the SAML library. I have a few more questions related to SAML assertion encryption and decryption:

Configuration: Can you please guide me on where and how we can configure the SAML assertion encryption algorithm within the SAML library?

Decryption Process: I noticed that the code uses the SendSSO method for sending the SAML response to the Service Provider in SP-initiated SSO. However, I didn't find explicit details on how the assertion is encrypted and decrypted. Could you provide information on how the library handles the decryption process?

Decryption Capability of the Library: Full SAML Response vs. Encrypted SAML Assertion Only: I observed that the full SAML response is encrypted and decrypted correctly, with user attributes being populated at the Service Provider's side. Could you please clarify - Is the library designed to decrypt only the entire SAML response, or can it correctly handle the decryption of an encrypted SAML assertion within a SAML response where only the SAML Assertion part is encrypted?

I appreciate your assistance in clarifying these details as they are crucial for our implementation/evaluation. Thank you in advance!

Configuration:
I’ve copied the following information from our Configuration Guide. It describes the KeyEncryptionMethod and DataEncryptionMethod properties under the section of the SAML configuration.

KeyEncryptionMethod [optional]
The key encryption method specifies how to encrypt the symmetric key used in XML encryption.
The supported key encryption methods are:
· http://www.w3.org/2001/04/xmlenc#rsa-1_5
· http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
The RSA-OAEP extension adds the following key encryption method:
· http://www.w3.org/2009/xmlenc11#rsa-oaep
Refer to the Developer Guide for information on adding RSA-OAEP support.
The default is http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.

DataEncryptionMethod [optional]
The data encryption method specifies how to encrypt the data in XML encryption.
The supported data encryption methods are:
· http://www.w3.org/2001/04/xmlenc#tripledes-cbc
· http://www.w3.org/2001/04/xmlenc#aes128-cbc
· http://www.w3.org/2001/04/xmlenc#aes192-cbc
· http://www.w3.org/2001/04/xmlenc#aes256-cbc
The AES-GCM extension adds the following data encryption methods:
· http://www.w3.org/2009/xmlenc11#aes128-gcm
· http://www.w3.org/2009/xmlenc11#aes192-gcm
· http://www.w3.org/2009/xmlenc11#aes256-gcm
Refer to the Developer Guide for information on adding AES-GCM support.
The default is http://www.w3.org/2001/04/xmlenc#aes256-cbc.

Decryption Process:
SAMLIdentityProvider.SendSSO creates and sends a SAML response to the SP. If the EncryptionAssertion flag under the configuration entry is true, the SAML response contains an encrypted assertion. The encryption methods are controlled by the KeyEncryptionMethod and DataEncryptionMethod parameters described above. SAMLIdentityProvider.SendSSO isn’t involved with decrypting the assertion. Instead, SAMLServiceProvider.ReceiveSSO handles decrypting the assertion as part of receiving and processing a SAML response.

Decryption Capability:
SAML responses are never encrypted. That’s not part of the SAML specification. SAML assertions may be encrypted. We fully support the encryption and decryption of SAML assertions.

Thanks !

One quick Query: I am getting Error “The partner identity provider https://www.okta.com/exkd5x1wjqROBVSon5d7 is not configured” while working with SP Initiated SSO. Can you suggest me what settings I am missing. Below is the existing settings in saml.config

<?xml version="1.0"?>

<ServiceProvider
Name=“<a href=“https://MySPProviderURL/””>https://MySPProviderURL/
Description=“Service Provider”
AssertionConsumerServiceUrl=”~/SAML/AssertionConsumerService.aspx">






<PartnerIdentityProvider
Name=“<a href=“https://OKTAURL/sso/saml””>https://OKTAURL/sso/saml"
Description=“Identity Provider”
SingleSignOnServiceUrl=“<a href=“https://OKTAURL/sso/saml””>https://OKTAURL/sso/saml"
SingleSignOnServiceBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
SingleLogoutServiceUrl=“” >






It sounds like the partnerName parameter being passed into SAMLServiceProvider.InitiateSSO is “<a href=“https://www.okta.com/exkd5x1wjqROBVSon5d7” .”=“”><a href=“https://www.okta.com/exkd5x1wjqROBVSon5d7".">https://www.okta.com/exkd5x1wjqROBVSon5d7”.

This value must match with one of the Name values in your saml.config. In your case, the name is “<a href=“https://OKTAURL/sso/saml” .”=“”><a href=“https://OKTAURL/sso/saml".">https://OKTAURL/sso/saml”.

This name, in turn, must match with the identity provider issuer listed in the Okta admin console and also available as the EnityID in the Okta SAML metadata.

I suspect you need to change your saml.config to <PartnerIdentityProvider Name=“<a href=“https://www.okta.com/exkd5x1wjqROBVSon5d7” “=””><a href=“https://www.okta.com/exkd5x1wjqROBVSon5d7"”>https://www.okta.com/exkd5x1wjqROBVSon5d7" but you should confirm this by looking at the settings in the Okta admin console.

You’ll find the Okta integration guide at:

https://www.componentspace.com/forums/5439/Okta-Integration-Guide