XML encryption may be used to encrypt SAML assertion, attributes and certain identifiers.
XML encryption ensures the privacy of any confidential data contained within the XML.
For example, an encrypted assertion is contained within an <EncryptedAssertion> element in the http://www.w3.org/2001/04/xmlenc# namespace. The SAML assertion may be encrypted because it contains sensitive user information.
Note that, in some circumstances, HTTPS transport level security may be considered sufficient for the protection of any confidential data.
The following is an example of an encrypted SAML assertion.
An encrypter encrypts with the decrypter’s public key and the decrypter decrypts with their private key. For example, the IdP encrypts the SAML assertion using the SP’s public key or certificate. The SP decrypts the SAML assertion using the SP’s private key.
XML encryption involves the creation of a random symmetric key which is used to encrypt the data. The symmetric key is then encrypted using the public asymmetric key. To decrypt, the private asymmetric key is used to decrypt the random symmetric key which in turn is used to decrypt the data. A symmetric key is used for performance reasons.