Question About SAML Assertion Encryption

Reynolds, Jeffrey JReynolds at utdallas.edu
Fri May 13 13:04:25 EDT 2016 

Hi everyone,

This might be the wrong place for this question, and if so let me know and I’ll take it to the appropriate location.  I have a question about how SAML messages are encrypted and signed.  We are working to integrate a new service with our Shibboleth Identity Providers.  The service has provided us with two sites, a production and a test site, and we have had to upload certificates for both sites to generate the site metadata files.  I’ve configured both sites metadata in our IdP, and I can see both separate certificates listed in this metadata (the ones we generated).

Here’s where things get strange.  I’m troubleshooting an issue with the integration, and I noticed that when I check the the SAML Request from their service provider, it contains a third certificate not generated by us.  Furthermore, it appears that that this certificate is being used to actually encrypt the assertions (though I’m not 100% sure of this, I’ve got a very strong feeling this is the case).

So I have a few questions.  First off, is there an easy way that I can take a cipher value out of a response and attempt to decrypt it, to verify whether or not our cert of this mysterious third cert is actually being used for encryption (maybe a mostly copy pasted openssl command), or is there any other validation within the Request/Response to validate which cert was used for encryption?  Secondly, can anyone offer insight as to the process that Shibboleth uses to encrypt and sign assertions?  I’m guessing this is probably documented somewhere, so if there is a page explaining this in more detail that someone can point me towards, I’d much appreciate it.  I’ve just always been under the impression that the certs for in the metadata were used for this, and it’s a little confusing to see a certificate offered in the request might actually be responsible.

Tango mike for any information on the above,


Jeff Reynolds
Senior Information Security Analyst
972-883-6828 | jreynolds at utdallas.edu<mailto:jreynolds at utdallas.edu>
Information Security Office<http://secure-web.cisco.com/1afCCmPALdg8YuA9L0O0t06wOtg6oUwOf27frULVxl6D4hz3F7rZiqOAtTpcdN-LobE-ckT8015ydA9aER611c1CaVtBbMu4_EzfGwuF8zFkhgoZM9QwUYSqIy3pOsTWpensz7zUmLNEusIrRmGqLcgQcptLIzVCi8_pjvs1ZkDmomfcOt0-qeYGcJSbQbyeM/http%3A%2F%2Fwww.utdallas.edu%2Finfosecurity%2F>
The University of Texas at Dallas<http://secure-web.cisco.com/1Cpl8ttBT6ZGunfGnpHes_P09cbe-u9TknUQoTtH8s3Ib-Ksf7gQk5OG94tS227GNQbJLBle-3By0cQFZqCpbyjy0R5KsrPm_kyk0Q2ThKqeUPqC8h8o5S7XzFjmiqcpFGbFJZYFaOEBfrw98cKcOqV5QIX1jYsZU39sP_RwaCn7puMfiQYtPpGdOe3HFtHqX/http%3A%2F%2Fwww.utdallas.edu%2F>
<http://secure-web.cisco.com/1szYsJ4dNTeYEjpBFxN7WspaYjrR3ILWtiKtLTUNMu_zh_MDZZy2vcPCK-nj_pPyvg2lhG-lX3dz1cGHhoGnRxvq5WBK81YXv7CMTwxa28zxJ_J87QKVu6IThqP-wobIbl6adOD-Iaal04Q4v5lqpOopinaROydDyGogSKFgtXcbqa3Sv5mU_CcLY2LvE5K-e/http%3A%2F%2Futdallas.parature.com%2F>[X]<http://secure-web.cisco.com/1szYsJ4dNTeYEjpBFxN7WspaYjrR3ILWtiKtLTUNMu_zh_MDZZy2vcPCK-nj_pPyvg2lhG-lX3dz1cGHhoGnRxvq5WBK81YXv7CMTwxa28zxJ_J87QKVu6IThqP-wobIbl6adOD-Iaal04Q4v5lqpOopinaROydDyGogSKFgtXcbqa3Sv5mU_CcLY2LvE5K-e/http%3A%2F%2Futdallas.parature.com%2F><http://secure-web.cisco.com/1szYsJ4dNTeYEjpBFxN7WspaYjrR3ILWtiKtLTUNMu_zh_MDZZy2vcPCK-nj_pPyvg2lhG-lX3dz1cGHhoGnRxvq5WBK81YXv7CMTwxa28zxJ_J87QKVu6IThqP-wobIbl6adOD-Iaal04Q4v5lqpOopinaROydDyGogSKFgtXcbqa3Sv5mU_CcLY2LvE5K-e/http%3A%2F%2Futdallas.parature.com%2F>





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160513/746e3f6c/attachment-0001.html>

More information about the users mailing list