Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is there a standard format of SAML 2.0 encrypted assertion

Tags:

saml

saml-2.0

opensaml

I am implementing an SP initiated web browser SAML SSO profile in JBOSS.

My application is the SP.

After login, I expect the IDP to send me an encrypted assertion of the following format:

<samlp:Response...>
  <ds:Signature>...
    <ds:KeyInfo>....</ds:KeyInfo>
  </ds:Signature>
  <samlp:Status>...</samlp:Status> 
  <saml:EncryptedAssertion>...</saml:EncryptedAssertion>
</samlp:Response>

It works fine for some of the IDPs, but now I have an IDP which sends me:

<saml2p:Response...>
  <saml2p:Status>...</saml2p:Status>
  <saml2:EncryptedAssertion>...
      <ds:KeyInfo>...</ds:KeyInfo>
  </saml2:EncryptedAssertion>
</saml2p:Response>

And the authentication fails since the signature is missing.

My question is: Is there a standard format of SAML 2.0 encrypted assertion which I can tell the IDP admin to use? Or must I support both ways?

Thanks

like image 592
user1825949 Avatar asked May 06 '13 07:05

user1825949

People also ask

How does the identity provider encrypt the SAML Assertion?

The identity provider consults its list of trusted service providers in metadata before issuing an authentication response. In the previous scenario, how does the identity provider encrypt the SAML assertion so that the trusted service provider (and only the trusted service provider) can decrypt the assertion.

What is SAML (SAML authentication)?

SAML 2.0 is an XML -based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, named an Identity Provider, and a SAML consumer, named a Service Provider.

What is SAML Response and assertion?

A SAML Response is sent by the Identity Provider to the Service Provider and if the user succeeded in the authentication process, it contains the Assertion with the NameID / attributes of the user. There are 8 examples: An unsigned SAML Response with an unsigned Assertion.

What is the latest version of SAML?

SAML 2.0 was ratified as an OASIS Standard in March 2005, replacing SAML 1.1. The critical aspects of SAML 2.0 are covered in detail in the official documents SAMLCore, SAMLBind, SAMLProf, and SAMLMeta.

1 Answers

According to the XMLenc standard that is used in SAML2. KeyInfo can be used. But inside the encrypted data not inside the encrypted assertion.

Signature on response is optional as reflected by 5.2 in the SAML spec

So If this is the case you can't make them change for not following the standard.

like image 54
Stefan Rasmusson Avatar answered Oct 05 '22 06:10

Stefan Rasmusson
Sign in to Comment

Related questions

OpendID Connect and IDP Initiated SSO
Using SimpleSAML as SP and IDP for development environnement
Is urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress a valid NameID format?
SAML 2.0 Multiple md:NameIDFormat tag in service provider metadata
SSO - SAML, Redirect a user to a specified landing page after successful log in
Creating custom SAML token
Nokogiri::XML::Schema SyntaxError on schema load
G Suite SSO error app_not_configured_for_user
AWS Cognito - create groups from ADFS as Cognito Groups
How appropriate it is to use SAML_login with AEM with more than 1m users?
Using Spring SAML as an IDP rather than an SP
Python - Logging in to Site with SAML 2.0
What is the point of OpenSAML? Any alternative?
Does ADFS 2.0 supports the SAML 1.1 protocol and Web SSO profiles?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!