Question About SAML Assertion Encryption

[Cantor, Scott]

> So I have a few questions.  First off, is there an easy way that I can take a
> cipher value out of a response and attempt to decrypt it, to verify whether or
> not our cert of this mysterious third cert is actually being used for encryption
> (maybe a mostly copy pasted openssl command), or is there any other
> validation within the Request/Response to validate which cert was used for
> encryption?

You can't decrypt the data without the private key, so by definition, no.

The certificate containing the public key used to encrypt the data encryption key is inside the EnryptedKey element's KeyInfo block, and is pulled from the metadata.

>  Secondly, can anyone offer insight as to the process that
> Shibboleth uses to encrypt and sign assertions?

Signing and encryption are entirely different operations, and the process is defined in the SAML standard and by reference the XML Signature and Encryption standards. If you're looking for a summary of how the keys are used, that's in the wiki under https://wiki.shibboleth.net/confluence/display/IDP30/SecurityAndNetworking

>  I’m guessing this is probably
> documented somewhere, so if there is a page explaining this in more detail
> that someone can point me towards, I’d much appreciate it.  I’ve just always
> been under the impression that the certs for in the metadata were used for
> this, and it’s a little confusing to see a certificate offered in the request might
> actually be responsible.

There is absolutely no way to tell the IdP what key to encrypt under by sending it one in a request. It comes from the metadata.

-- Scott