OpenSAML user discussion

[Brent Putman <>]

Pantvaidya, Vishwajit wrote:

credential.setPrivateKey(@get the private key to be used for this request possibly configured based on where the request is coming from@);

Decrypter decrypter = new Decrypter(null, new StaticKeyInfoCredentialResolver(credential), new InlineEncryptedKeyResolver());

 

 

It seems to be using a private key to decrypt the assertion.

1.    Shouldn’t a public key be used instead of a private key?

No.  Data is encrypted by the sender with the recipient's public key.  The recipient then decrypts with their corresponding private key.

You may be confusing with signing, which is the other way around - sender signs with their private key, then recipient validates with the sender's public key.

2.    Are assertions usually decrypted, even when https is used?

As Scott said, it's up to the IdP.  One reason to still encrypt under  the Web SSO profile, in spite of using HTTPS everywhere, is that the Assertion may be cached on the user's browser.  If that Assertion contains sensitive data, probably undesirable to be in the clear.



--Brent