Setting up GitHub Enterprise as a SP - encryption options

Graham Ballantyne grahamb at sfu.ca
Wed Aug 5 23:32:53 UTC 2020 

Hello,

I am attempting to set up SAML auth for on-premise GitHub Enterprise. GHE does not support encryption of anything in the SAML response. In relying-party.xml, I have set all the encryptions options to false:

<bean parent="RelyingPartyByName" c:relyingPartyIds="https://github-stage.its.sfu.ca<https://github-stage.its.sfu.ca/>">
    <property name="profileConfigurations">
        <list>
            <bean parent="SAML2.SSO"
                  p:encryptAssertions="false"
                  p:encryptNameIds="false"
                  p:encryptAttributes="false"
                  p:includeConditionsNotBefore="false" />
            <ref bean="SAML2.Logout" />
        </list>
    </property>
</bean>

Despite this, the IdP seems to still be insisting on attempting to encrypt assertions in the response, and failing:

2020-08-05 15:15:52,528 - x.x.x.x - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:296] - Profile Action PopulateEncryptionParameters: Encryption for assertions (true), identifiers (false), attributes(false)
2020-08-05 15:15:52,529 - x.x.x.x - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:306] - Profile Action PopulateEncryptionParameters: Resolving EncryptionParameters for request
2020-08-05 15:15:52,542 - x.x.x.x - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:371] - Profile Action PopulateEncryptionParameters: Adding entityID to resolution criteria
2020-08-05 15:15:52,542 - x.x.x.x - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:382] - Profile Action PopulateEncryptionParameters: Adding role metadata to resolution criteria
2020-08-05 15:15:52,543 - x.x.x.x - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:260] - Resolving credentials from supplied RoleDescriptor using usage: ENCRYPTION.  Effective entityID was: https://github-stage.its.sfu.ca<https://github-stage.its.sfu.ca/>
2020-08-05 15:15:52,543 - x.x.x.x - DEBUG [org.opensaml.saml.security.impl.SAMLMetadataEncryptionParametersResolver:186] - Could not resolve encryption parameters based on SAML metadata, falling back to locally configured credentials and algorithms
2020-08-05 15:15:52,544 - x.x.x.x - WARN [org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver:257] - Validation failure: Failed to resolve both a data and a key encryption credential
2020-08-05 15:15:52,544 - x.x.x.x - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:322] - Profile Action PopulateEncryptionParameters: Failed to resolve EncryptionParameters
2020-08-05 15:15:52,544 - x.x.x.x - WARN [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:339] - Profile Action PopulateEncryptionParameters: Resolver returned no EncryptionParameters
2020-08-05 15:15:52,580 - x.x.x.x - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidSecurityConfiguration
2020-08-05 15:15:52,581 - x.x.x.x - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:173] - Error event InvalidSecurityConfiguration will be handled with response

This results in an error being returned in the SAML response.

The only way I've been able to get this to work is by setting `idp.encryption.optional = true` in idp.properties; it was commented-out and thus set to the default (false).

2020-08-05 16:18:24,414 - x.x.x.x - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:296] - Profile Action PopulateEncryptionParameters: Encryption for assertions (true), identifiers (false), attributes(false)
2020-08-05 16:18:24,415 - x.x.x.x - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:306] - Profile Action PopulateEncryptionParameters: Resolving EncryptionParameters for request
2020-08-05 16:18:24,415 - x.x.x.x - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:371] - Profile Action PopulateEncryptionParameters: Adding entityID to resolution criteria
2020-08-05 16:18:24,415 - x.x.x.x - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:382] - Profile Action PopulateEncryptionParameters: Adding role metadata to resolution criteria
2020-08-05 16:18:24,415 - x.x.x.x - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:260] - Resolving credentials from supplied RoleDescriptor using usage: ENCRYPTION.  Effective entityID was: https://github-stage.its.sfu.ca<https://github-stage.its.sfu.ca/>
2020-08-05 16:18:24,416 - x.x.x.x - DEBUG [org.opensaml.saml.security.impl.SAMLMetadataEncryptionParametersResolver:186] - Could not resolve encryption parameters based on SAML metadata, falling back to locally configured credentials and algorithms
2020-08-05 16:18:24,416 - x.x.x.x - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:322] - Profile Action PopulateEncryptionParameters: Failed to resolve EncryptionParameters
2020-08-05 16:18:24,416 - x.x.x.x - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:336] - Profile Action PopulateEncryptionParameters: Resolver returned no EncryptionParameters
2020-08-05 16:18:24,420 - x.x.x.x - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:337] - Profile Action PopulateEncryptionParameters: Encryption is optional, ignoring inability to encrypt

GitHub Enterprise's SAML metadata (https://github-stage.its.sfu.ca/saml/metadata) doesn't specify any encryption requirements, so we're not sure why it is trying to encrypt in the first place. We have several other SPs set up on our IDP that don't require encryption, and have the encryption options set to false in relying-party.xml, and work properly.

Any suggestions?

Cheers,
Graham.

–
Graham Ballantyne
Senior Systems Engineer | IT Services
Simon Fraser University | Strand Hall 1001
8888 University Dr., Burnaby, B.C. V5A 1S6
604-837-6698


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200805/1b59ada1/attachment.htm>

More information about the users mailing list