7

I am implementing an SP initiated web browser SAML SSO profile in JBOSS.

My application is the SP.

After login, I expect the IDP to send me an encrypted assertion of the following format:

<samlp:Response...>
  <ds:Signature>...
    <ds:KeyInfo>....</ds:KeyInfo>
  </ds:Signature>
  <samlp:Status>...</samlp:Status> 
  <saml:EncryptedAssertion>...</saml:EncryptedAssertion>
</samlp:Response>

It works fine for some of the IDPs, but now I have an IDP which sends me:

<saml2p:Response...>
  <saml2p:Status>...</saml2p:Status>
  <saml2:EncryptedAssertion>...
      <ds:KeyInfo>...</ds:KeyInfo>
  </saml2:EncryptedAssertion>
</saml2p:Response>

And the authentication fails since the signature is missing.

My question is: Is there a standard format of SAML 2.0 encrypted assertion which I can tell the IDP admin to use? Or must I support both ways?

Thanks

user1825949
  • 255
  • 1
  • 8
  • 14

1 Answers1

6

According to the XMLenc standard that is used in SAML2. KeyInfo can be used. But inside the encrypted data not inside the encrypted assertion.

Signature on response is optional as reflected by 5.2 in the SAML spec

So If this is the case you can't make them change for not following the standard.

Stefan Rasmusson
  • 5,445
  • 3
  • 21
  • 48
  • No sigature is optional as reflected by chapter 5.2 in the spec, https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf – Stefan Rasmusson May 06 '13 at 11:49
  • I added this to the answer – Stefan Rasmusson May 06 '13 at 11:51
  • So how do I verify the sender's identity without signature? – user1825949 May 06 '13 at 13:15
  • If there is no signature on the assertion or in a higher level, for example the response element, you can't verify it using SAML, so its highly recommended that signing is done. Verification can be done in other ways thought. For example client certificates – Stefan Rasmusson May 06 '13 at 13:30
  • I now see that after I decrypt the EncryptedAssertion using openSAML, I can get a certificate using: decryptedAssertion.getSignature().getKeyInfo().getX509Datas().get(0).getX509Certificates().get(0).getValue(). is this the way to verify the sender's identity? compare this to the certificate he published ? – user1825949 May 06 '13 at 13:59
  • Ok, so the assertion is signed. You can use this for verification. – Stefan Rasmusson May 06 '13 at 15:28