Reputation: 5462
Where from does ComponentSpace Saml 2.0 take key to encrypt assertions
When I run the following code (ComponentSpace Saml 2.0 lib is used), Fiddler shows me that SAMLRequest's value is encrypted like this <input type="hidden" name="SAMLRequest" value="PHNhbWxwOkF1dGhu...."> which is pretty expected behavior. The code implements the first step of SSO SAML 2.0 POST profile. Note that no certificate key is specified in the code to do any kind of encryption, so I wonder how does ComponentSpace lib decide which one to pick up?
var authnRequest = new AuthnRequest
{
Destination = @"https://idpserver/...",
Issuer = new Issuer(@"https://sp/..."),
ForceAuthn = false,
NameIDPolicy = new NameIDPolicy(null, null, true),
ProtocolBinding = SAMLIdentifiers.BindingURIs.HTTPPost,
AssertionConsumerServiceURL = @"https://sp/..."
};
var relayState = RelayStateCache.Add(new RelayState(@"https://sp/...", null));
ServiceProvider.SendAuthnRequestByHTTPPost(
new HttpResponseWrapper(_context.Response),
@"https://idpserver/...",
authnRequest.ToXml(),
relayState);
All the Wikipedia says is "the value of the SAMLRequest parameter is the base64 encoding". No information about what the key is used to encode.
Upvotes: 1
Views: 3391
Answers (2)
Reputation: 1367
Sorry for misunderstanding your question. Your example code constructed and sent an authn request. It sounds like you're asking about SAML assertions contained in a SAML response.
The identity provider encrypts the SAML assertion using the service provider's public key. The service provider will decrypt the assertion using its private key.
If you'd like to see an example of this, please take a look at the AssertionExample project which demonstrates encrypting/decrypting SAML assertions.
Step 2 at the link you supplied describes the SP sending an AuthnRequest via HTTP/POST to the IdP. There is no XML encryption involved in sending an AuthnRequest. The XML is encoded using deflate and base-64 but no encryption. This encoding is done for you when you call ServiceProvider.SendAuthnRequestByHTTPPost.
Upvotes: 1
Reputation: 1367
Signing the authn request is optional.
To sign the request, before calling ServiceProvider.SendAuthnRequestByHTTPPost, you need to do something like the following:
// Serialize to XML
XmlElement authnRequestElement = authnRequest.ToXml();
// Sign the authn request
SAMLMessageSignature.Generate(authnRequestElement, x509Certificate.PrivateKey, x509Certificate);
// Send the authn request to the IdP
ServiceProvider.SendAuthnRequestByHTTPPost(..., authnRequestElement, ...);
You always sign with your private key and the recipient will verify the signature using your public key/certificate.
Upvotes: 0
Related Questions
- SAML Response: <ds:KeyInfo>
- how to get saml-metadata for keycloak as sp with certificate
- ComponentSpace SAML SSO and Decrypt Assertion without Private Key
- Is there a standard format of SAML 2.0 encrypted assertion
- Encrypt SAML 2.0 assertion with SP public certificate - Component Space
- Which key is used by spring security saml?
- How can I see my SAML assertion when using Component Space
- SAML 2.0 Decrypting EncryptedAssertion removes a namespace declaration?
- How to sign a SAML2 assertion with the encryption key(s)
- SAML2 assertion encryption using public key (opensaml)