0

All my logout responses from simplesamlphp IdP come encrypted. I looked in simplesamlphp docs but cannot find any option to switch off encryption.

(I have logout signing on; but signing should be independent of encryption, and use Redirect binding)

Is it possible to send logout responses via Redirect binding inencrypted? Or is always on by default for some reason?

Charles
  • 50,943
  • 13
  • 104
  • 142

2 Answers2

0

Paramenter 'assertion.encryption' defined on IdP remote metadata

Whether assertions received from this IdP must be encrypted. The default value is FALSE. If this option is set to TRUE, assertions from the IdP must be encrypted. Unencrypted assertions will be rejected.

Note that this option overrides the option with the same name in the SP configuration.

Reference: http://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote

Parameter 'assertion.encryption' in saml20-idp-hosted.php

Whether assertions sent from this IdP should be encrypted. The default value is FALSE.

Note that this option can be set for each SP in the SP-remote metadata.

Reference: http://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted

Edited to add an explanation:

simpleSAMLphp uses the function encryptAssertion (modules/saml/lib/IdP/SAML2.php) to decide if encrypt or not all the assertions that it handler. This function checks the values of the 'assertion.encryption' defined on the IdP/SP metadata file (if this parameter is not defined the assertion is not encrypted

private static function encryptAssertion(SimpleSAML_Configuration $idpMetadata,
            SimpleSAML_Configuration $spMetadata, SAML2_Assertion $assertion) {

            $encryptAssertion = $spMetadata->getBoolean('assertion.encryption', NULL);
            if ($encryptAssertion === NULL) {
                    $encryptAssertion = $idpMetadata->getBoolean('assertion.encryption', FALSE);
            }
            if (!$encryptAssertion) {
                    /* We are _not_ encrypting this assertion, and are therefore done. */
                    return $assertion;
            }
smartin
  • 2,957
  • 2
  • 23
  • 33
  • But of course I know about 'assertion.encryption', I told I looked in the docs. But it is of no value. If you read the question, I am asking about _logout responses_. Those are different from assertions (and of course, I have assertion.enctyption in its default FALSE value). –  Sep 13 '13 at 08:41
  • All assertions are handler by the same function encryptAssertion and this function only check 'assertion.encryption' parameter. – smartin Sep 13 '13 at 10:29
  • I don't understand what mean "encrypt logout responses". In a message you can encrypt nameID or assertions. – smartin Sep 13 '13 at 10:40
  • The whole message is encrypted. It's garbage, not XML (after base64-decoding). –  Sep 15 '13 at 16:06
0

The issue was with something else. I just reused the code that processed POST binding to also process Redirect binding; but with Redirect binding, the payload is deflated, so the code for POST cannot be reused directly.