ComponentSpace

Forums



Is it required to encrypted the Assertion in IDP SSO Response? What is the benefit of encrypting the...


Is it required to encrypted the Assertion in IDP SSO Response? What is...

Author
Message
jyao@acats.com
jyao@acats.com
New Member
New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)

Group: Forum Members
Posts: 10, Visits: 30
Hi

I have a ASP.NET MVC IDP site and multiple ASP.NET MVC SP sites. The SSO is being processed under SSL.
When I am setting up the IDP SAML configuration, I see inside the PartnerServiceProvider, there is an attribute of "EncryptAssertion". 

I would like to ask some questions.
1. Is it required to encrypted the Assertion in IDP SSO Response?
2. What is the benefit of encrypting the Assertion?
3. I have attached the a file with sample non-encrypted SAML Response. What parts of SAML Response are being encrypted when "EncryptAssertion" is set to true?
Attachments
Sample SAML Response.xml (1 view, 3.00 KB)
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)

Group: Administrators
Posts: 2.4K, Visits: 6.9K
1. Encrypting the SAML assertion is optional. In most situations it isn't encrypted and privacy is provided at the transport layer using HTTPS.

2. It's an extra level of security that's enabled if the SAML assertion contains particularly sensitive user information or the environment dictates the need. HTTPS should always be used so SAML assertion encryption is on top of the security provided at the transport layer. If there are intermediate network nodes, the HTTPS traffic may be decrypted. The SAML assertion will remain encrypted from IdP through to SP regardless of any intermediate network nodes.

3. Instead of the <Assertion> node there's an <EncryptedAssertion> Node.

Regards
ComponentSpace Development
jyao@acats.com
jyao@acats.com
New Member
New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)

Group: Forum Members
Posts: 10, Visits: 30
ComponentSpace - 5/29/2018
1. Encrypting the SAML assertion is optional. In most situations it isn't encrypted and privacy is provided at the transport layer using HTTPS.

2. It's an extra level of security that's enabled if the SAML assertion contains particularly sensitive user information or the environment dictates the need. HTTPS should always be used so SAML assertion encryption is on top of the security provided at the transport layer. If there are intermediate network nodes, the HTTPS traffic may be decrypted. The SAML assertion will remain encrypted from IdP through to SP regardless of any intermediate network nodes.

3. Instead of the <Assertion> node there's an <EncryptedAssertion> Node.

Thank you very much. 

Is IDP using the SP's certificate to encrypt the Assertion?
jyao@acats.com
jyao@acats.com
New Member
New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)

Group: Forum Members
Posts: 10, Visits: 30
jyao@acats.com - 5/30/2018
ComponentSpace - 5/29/2018
1. Encrypting the SAML assertion is optional. In most situations it isn't encrypted and privacy is provided at the transport layer using HTTPS.

2. It's an extra level of security that's enabled if the SAML assertion contains particularly sensitive user information or the environment dictates the need. HTTPS should always be used so SAML assertion encryption is on top of the security provided at the transport layer. If there are intermediate network nodes, the HTTPS traffic may be decrypted. The SAML assertion will remain encrypted from IdP through to SP regardless of any intermediate network nodes.

3. Instead of the <Assertion> node there's an <EncryptedAssertion> Node.

Thank you very much. 

Is IDP using the SP's certificate to encrypt the Assertion?

I got the answer in ComponentSpace samlv2developer-guide.pdf. It is encrypting with the SP's certificate.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)

Group: Administrators
Posts: 2.4K, Visits: 6.9K
That's correct.
The IdP encrypts the SAML assertion with a random symmetric key which in turn is encrypted with the SP's public key.
The SP uses its private key to decrypt the symmetric key which in turn is used to decrypt the SAML assertion.
This ensures that only the SP can decrypt the SAML assertion.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search