saml-idp icon indicating copy to clipboard operation
saml-idp copied to clipboard
verified publisher icon mcguinness

Assertion encryption not working.

Open mkgn opened this issue 3 years ago • 3 comments

I am running node v14.8

To test assertion encryption, I created a key pair (btw.. without encryption everything works fine)

openssl genrsa -out assertion-enc-key.pem 2048 
openssl rsa -in assertion-enc-key.pem -outform PEM -pubout -out assertion-pub-key.pem <--extracted public key from above file

run the tool using below command line options.

node app.js --acsUrl http://cockerham.stratus.lk/Tenant/TestSsoAssertionConsumer 
--audience http://cockerham.stratus.com 
--encryptAssertion true 
--encryptionPublicKey ./assertion-pub-key.pem 
--encryptionCert ./assertion-enc-key.pem

Once I login; in the console it shows

Generating SAML Response using => { ... data to generate ... }

Then it gives below error and quits. I feel I may be using the options/keys wrong?

image

mkgn avatar Dec 21 '22 10:12 mkgn

The openssl genrsa command generates an RSA private key, which should not be filled into the --encryptionCert field.

encryptionPublicKey is used for digital signatures, which is typically stored at IDP and SP normally will sign with the corresponding private key on their end, while encryptionCert is used for encrypting the sensitive information during communication, so you can have SP to encrypt the request and IDP just need to hold the private key to decrypt it.

TL;DR You need 2 public keys from 2 pairs of keys. You can use the idp-public-cert.pem in the codebase for the encryptionCert field, or you can generate a pair by following the README.

As for the encryptionPublicKey, you can do openssl genpkey -algorithm RSA -out private_key.pem -aes256 openssl rsa -in private_key.pem -pubout -out public_key.pem

With corrected form of keys, this issue should be fixed paticularly. Undeniably, this is a bug within the samlp package it's using.

jazelly avatar Mar 28 '23 04:03 jazelly

Hi @jazelly, Can I have some questions? This app has been working well for my local testing. But recently I need to use the "assertion encryption" feature and I can only get a "CA.cer" certificates(from okta). I'm not sure what encryptionPublicKey should be and where to get it? Thank you!

zhengxiangyue avatar Jun 07 '23 20:06 zhengxiangyue

@zhengxiangyue My understanding is this:

I can only get a "CA.cer" certificates(from okta)

You shouldn't need to use a third-party IDP's certificate, as this repo acts as a mock IDP

I'm not sure what encryptionPublicKey should be and where to get it

Like what I suggested, you can generate a pair of public key and private key. The encryptionPublicKey should be the public key.

Hope that helps

jazelly avatar Jul 07 '23 01:07 jazelly