Question about encrypted assertions

Crawford, Jeffrey jcrawford at
Wed Sep 19 13:26:29 EDT 2018

I don't know the details about how things are encrypted, but the error would seem to me to indicate that the certificate you put in the metadata, doesn't actually match the key the SP (livesafe) is using locally. If you have access to both, checking the modulus with openssl should yield the same string. If it doesn't then something went wrong somewhere.

I have also seen a couple of SP that have trouble with sha2 certs and keys. However that is becoming less a problem as we move forward and more systems support it


On 9/19/18, 4:06 AM, "users on behalf of Losen, Stephen C (scl)" <users-bounces at on behalf of scl at> wrote:

    Hi folks,
    Quick question, how does the Shibboleth IDP encrypt an assertion? The XML for the encrypted assertion mentions a symmetric cipher (AES128). So what symmetric key does the IDP use?  Does the IDP generate a random symmetric key on the fly?  How does the IDP pass the symmetric key to the SP securely? Does the IDP encrypt the symmetric key using the public (RSA) key in the cert contained in the SP metadata?  Looks like the IDP also signs the symmetric key.  Seems like a lot of extra work, why not simply encrypt the entire assertion with RSA using the SP's public RSA key?
    We had an issue integrating our IDP with a SAML app (Livesafe) and disabling encryption fixed it. The error on the Livesafe side seemed to indicate that it could not obtain the key to decrypt the assertion.
    Stephen C. Losen
    ITS - Systems and Storage
    University of Virginia
    scl at    434-924-0640
    For Consortium Member technical support, see
    To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list