ITfoxtec SAML 2.0 encrypt assertion

Question

Is it possible to encrypt the assertion response with ITfoxtec Identity Saml2 (open source - https://itfoxtec.com/identitysaml2)? Haven't been able to find anything.

The GitHub site (https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2) mentions decrypting but not encrypting. Doesn't seem to be any examples on encrypting either.

Any help is appreciated. Thanks.

Answer 1

In saml2postbinding class, replace BindInternal method with below code.

protected override Saml2PostBinding BindInternal(Saml2Request saml2RequestResponse, string messageName)
    {
        BindInternal(saml2RequestResponse);

        var element1 = XmlDocument.CreateElement("saml2", "EncryptedAssertion", "urn:oasis:names:tc:SAML:2.0:assertion");
        XmlDocument xmlDoc = new XmlDocument();
        var assertionElements = XmlDocument.DocumentElement.SelectNodes($"//*[local-name()='{Saml2Constants.Message.Assertion}']");
        var assertionElement = (assertionElements[0] as XmlElement).ToXmlDocument().DocumentElement;
        var certificate = ITfoxtec.Identity.Saml2.Util.CertificateUtil.Load(@"F:\IT-FoxTec-Core Copy\ITfoxtec.Identity.Saml2-master (1)\ITfoxtec.Identity.Saml2-master\test\TestIdPCore\itfoxtec.identity.saml2.testwebappcore_Certificate.crt");



        var wrappedAssertion = $@"<saml2:EncryptedAssertion xmlns:saml2=""urn:oasis:names:tc:SAML:2.0:assertion"">{assertionElement.OuterXml}</saml2:EncryptedAssertion>";
        xmlDoc.LoadXml(wrappedAssertion);
        var elementToEncrypt = (XmlElement)xmlDoc.GetElementsByTagName("Assertion", Saml2Constants.AssertionNamespace.OriginalString)[0];
        element1.InnerXml = wrappedAssertion.ToXmlDocument().DocumentElement.SelectNodes($"//*[local-name()='{Saml2Constants.Message.Assertion}']")[0].OuterXml;
        var element2 = wrappedAssertion.ToXmlDocument().DocumentElement;
        var childNode = XmlDocument.GetElementsByTagName("Assertion", Saml2Constants.AssertionNamespace.OriginalString)[0];
        XmlDocument.DocumentElement.RemoveChild(childNode);
        var status = XmlDocument.DocumentElement[Saml2Constants.Message.Status, Saml2Constants.ProtocolNamespace.OriginalString];
        XmlDocument.DocumentElement.InsertAfter(element1, status);




        if (certificate == null) throw new ArgumentNullException(nameof(certificate));

        var encryptedData = new EncryptedData
        {
            Type = EncryptedXml.XmlEncElementUrl,
            EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncAES256Url)
        };

        var algorithm = true ? EncryptedXml.XmlEncRSAOAEPUrl : EncryptedXml.XmlEncRSA15Url;
        var encryptedKey = new EncryptedKey
        {
            EncryptionMethod = new EncryptionMethod(algorithm),
        };

        var encryptedXml = new EncryptedXml();
        byte[] encryptedElement;
        using (var encryptionAlgorithm = new AesCryptoServiceProvider())
        {
            encryptionAlgorithm.KeySize = 256;

            encryptedKey.CipherData = new CipherData(EncryptedXml.EncryptKey(encryptionAlgorithm.Key, (RSA)certificate.PublicKey.Key, true));
            encryptedElement = encryptedXml.EncryptData(elementToEncrypt, encryptionAlgorithm, false);
        }
        encryptedData.CipherData.CipherValue = encryptedElement;



        encryptedData.KeyInfo = new KeyInfo();
        encryptedData.KeyInfo.AddClause(new KeyInfoEncryptedKey(encryptedKey));
        EncryptedXml.ReplaceElement((XmlElement)xmlDoc.GetElementsByTagName("Assertion", Saml2Constants.AssertionNamespace.OriginalString)[0], encryptedData, false);
        EncryptedXml.ReplaceElement((XmlElement)XmlDocument.GetElementsByTagName("Assertion", Saml2Constants.AssertionNamespace.OriginalString)[0], encryptedData, false);

        if ((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)
        {
            Cryptography.SignatureAlgorithm.ValidateAlgorithm(saml2RequestResponse.Config.SignatureAlgorithm);
            XmlDocument = XmlDocument.SignDocument(saml2RequestResponse.Config.SigningCertificate, saml2RequestResponse.Config.SignatureAlgorithm, CertificateIncludeOption, saml2RequestResponse.Id.Value);

        }
        PostContent = string.Concat(HtmlPostPage(saml2RequestResponse.Destination, messageName));
        return this;
    }

Here certificate is public key certificate for any relying party.

Answer 2

I m sorry to say that assertion response encryption is currently not supported.

You are Welcome to create an issue on the missing encryption funktionalitet. If you implement the functionality please share the code.