Question about encrypted assertions

Cantor, Scott cantor.2 at
Wed Sep 19 13:31:56 EDT 2018

On 9/19/18, 7:05 AM, "users on behalf of Losen, Stephen C (scl)" <users-bounces at on behalf of scl at> wrote:

> how does the Shibboleth IDP encrypt an assertion?

That is not a one sentence (or paragraph, or email) answer.

> Does the IDP generate a random symmetric key on the fly?


>  How does the IDP pass the symmetric key to the SP securely? Does the IDP encrypt the symmetric key using the public 
> (RSA) key in the cert contained in the SP metadata?


>  Looks like the IDP also signs the symmetric key.

It does not.

>  Seems like a lot of extra work, why not simply encrypt the entire assertion with RSA using the SP's public RSA key?

That's not how RSA encryption works, it can't encrypt large data blocks.

-- Scott

More information about the users mailing list