Question about encrypted assertions

Losen, Stephen C (scl) scl at
Wed Sep 19 07:05:21 EDT 2018

Hi folks,

Quick question, how does the Shibboleth IDP encrypt an assertion? The XML for the encrypted assertion mentions a symmetric cipher (AES128). So what symmetric key does the IDP use?  Does the IDP generate a random symmetric key on the fly?  How does the IDP pass the symmetric key to the SP securely? Does the IDP encrypt the symmetric key using the public (RSA) key in the cert contained in the SP metadata?  Looks like the IDP also signs the symmetric key.  Seems like a lot of extra work, why not simply encrypt the entire assertion with RSA using the SP's public RSA key?

We had an issue integrating our IDP with a SAML app (Livesafe) and disabling encryption fixed it. The error on the Livesafe side seemed to indicate that it could not obtain the key to decrypt the assertion.

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at    434-924-0640

More information about the users mailing list