Is there a standard format of SAML 2.0 encrypted assertion

Question 1

Is there a standard format of SAML 2.0 encrypted assertion

saml saml-2.0 opensaml

user1825949 · May 6, 2013 · Viewed 7.3k times · Source

Answer

Answer

According to the XMLenc standard that is used in SAML2. KeyInfo can be used. But inside the encrypted data not inside the encrypted assertion.

Signature on response is optional as reflected by 5.2 in the SAML spec

So If this is the case you can't make them change for not following the standard.

Question 2

I am implementing an SP initiated web browser SAML SSO profile in JBOSS.

My application is the SP.

After login, I expect the IDP to send me an encrypted assertion of the following format:

<samlp:Response...>
  <ds:Signature>...
    <ds:KeyInfo>....</ds:KeyInfo>
  </ds:Signature>
  <samlp:Status>...</samlp:Status> 
  <saml:EncryptedAssertion>...</saml:EncryptedAssertion>
</samlp:Response>

It works fine for some of the IDPs, but now I have an IDP which sends me:

<saml2p:Response...>
  <saml2p:Status>...</saml2p:Status>
  <saml2:EncryptedAssertion>...
      <ds:KeyInfo>...</ds:KeyInfo>
  </saml2:EncryptedAssertion>
</saml2p:Response>

And the authentication fails since the signature is missing.

My question is: Is there a standard format of SAML 2.0 encrypted assertion which I can tell the IDP admin to use? Or must I support both ways?

Thanks

Is there a standard format of SAML 2.0 encrypted assertion

Answer

Related questions