Question about encrypted assertions

[Crawford, Jeffrey]

I don't know the details about how things are encrypted, but the error would seem to me to indicate that the certificate you put in the metadata, doesn't actually match the key the SP (livesafe) is using locally. If you have access to both, checking the modulus with openssl should yield the same string. If it doesn't then something went wrong somewhere.

I have also seen a couple of SP that have trouble with sha2 certs and keys. However that is becoming less a problem as we move forward and more systems support it

Jeffrey.

On 9/19/18, 4:06 AM, "users on behalf of Losen, Stephen C (scl)" <users-bounces at shibboleth.net on behalf of scl at virginia.edu> wrote:

    Hi folks,
    
    Quick question, how does the Shibboleth IDP encrypt an assertion? The XML for the encrypted assertion mentions a symmetric cipher (AES128). So what symmetric key does the IDP use?  Does the IDP generate a random symmetric key on the fly?  How does the IDP pass the symmetric key to the SP securely? Does the IDP encrypt the symmetric key using the public (RSA) key in the cert contained in the SP metadata?  Looks like the IDP also signs the symmetric key.  Seems like a lot of extra work, why not simply encrypt the entire assertion with RSA using the SP's public RSA key?
    
    We had an issue integrating our IDP with a SAML app (Livesafe) and disabling encryption fixed it. The error on the Livesafe side seemed to indicate that it could not obtain the key to decrypt the assertion.
    
    Stephen C. Losen
    ITS - Systems and Storage
    University of Virginia
    scl at virginia.edu    434-924-0640
    
    
    -- 
    For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
    To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net