Is it necessary to encrypt a SAML request if I am signing it with a my private key and sending it over SSL? Or would it be better practice to sign it using my private key, encrypt it using the identity providers public key AND transmit it over SSL?
If the SAML response contains claims and assertions that contain private data, and the receiver of the response will be holding onto the SAML assertion for an indefinite period or passing the SAML assertions through intermediate parties you do not trust, then yes, the SAML assertions should be encrypted and the ...
Receive signed SAML authentication responses If Auth0 is the SAML service provider, all SAML responses from your identity provider should be signed to indicate it hasn't been tampered with by an unauthorized third-party.
In SAML the most important thing for an SP is to being able to validate that the assertion is indeed from the IDP and not from some fake source. That can only be done through signing with the IDP's key. That's why signing is mandatory in the SAML standard.
HTTPS is required by default to configure SAML. As the SAML protocol is browser based both the product and the Identity Provider must use HTTPS (rather than HTTP), to prevent man-in-the-middle attacks and capturing XML documents with SAML assertions.
A SAML assertion query / request usually doesn't contain much private data, and the request itself is usually not persisted for use later, so there is little need to encrypt the SAML request itself. Signing it will allow the receiver to verify that the contents have not been altered in transit, and transimitting it via SSL will provide privacy during transmission. Encrypting the request in this situation is probably overkill.
A SAML assertion response, however, is a whole different animal. A SAML response that contains claims or assertions will likely contain private data. Depending on how these assertions are being used in your system, the assertions may be passed around between different parties, some which have the keys required keys to decrypt the content (because they have a trust relationship with the SAML provider) and some which do not. The SAML assertions could be stored in a cache or in a database, so you really don't know who will be poking through them in the future.
If the SAML response contains claims and assertions that contain private data, and the receiver of the response will be holding onto the SAML assertion for an indefinite period or passing the SAML assertions through intermediate parties you do not trust, then yes, the SAML assertions should be encrypted and the response signed, regardless of whether it is transmitted by SSL or not. Encryption is to protect the privacy of the data after it arrives at the other end of the SSL pipe.
And, the other end of the SSL pipe is the browser. There's one pipe from the IdP to the browser, and another from the browser to the Service Provider. If the Assertion is not encrypted, the Assertion would be available to anyone at the browser. An attacker could use the unencrypted Name Identifier in some kind of attack on future SAML documents and interactions.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With