omniauth-saml icon indicating copy to clipboard operation
omniauth-saml copied to clipboard

Published 20 hours ago verified publisher icon omniauth

Support for encrypted assertions

Open dblessing opened this issue 9 years ago • 4 comments

Does omniauth-saml support encrypted assertions? ruby-saml does so maybe it's possible here and I'm just not seeing it. If anyone has insight, please share.

dblessing avatar May 17 '16 22:05 dblessing

I haven't tried it, but the settings for omniauth-saml pass through to ruby-saml, so you should be able to set the private_key setting to make it work. The readme also mentions setting certificate, but I don't think that's needed for decrypting assertions (though it may be helpful if your IdP is trying to determine the target public key from the metadata URL).

I believe this has been possible since https://github.com/omniauth/omniauth-saml/pull/82 was merged. There is some further discussion in #50, #52, and #58.

md5 avatar May 19 '16 16:05 md5

@dblessing I am able to use encrypted assertions, all you need is to set the 'private_key' and 'certificate' in the setting when you pass it to the saml provider.

jiongye avatar Jun 27 '16 14:06 jiongye

@md5 certificate is required not for decrypt, but in order to offer this certificate on the SP metadata, so the IdP's admin can retrieve and use to encrypt the Assertion/NameID of the SAMLResponse.

pitbulk avatar Aug 04 '16 18:08 pitbulk

@pitbulk I did mention that use case in my comment, but it's good to hear it directly from a ruby-saml developer like yourself.

md5 avatar Aug 04 '16 20:08 md5