OpenSAML user discussion

[Brent Putman <>]

Pantvaidya, Vishwajit wrote:
> Does the test IdP let me provide a secret key as well? 
No, I don't think the TestShib IdP lets you provide a secret key.  It's
just storing the info you give it in public metadata, so that's counter
to that approach.  Actually, I don't believe there's any currently
defined mechanism to represent symmetric keys in a ds:KeyInfo, which is
used by SAML metadata.



> I am thinking secret keys would be primarily (or even only?) used in 
> encryptions and not signatures - which means they are irrelevant for 
> SAML1.x but could be used for encryption in SAML2.0. Is this accurate?
>
>   


You actually can do signing with symmetric keys as well.  See HMAC,
which is implemented as keyed hashing.  There are several HMAC
algorithms defined for XML Signature.

Re: encryption:  When you do encryption in SAML, especially if the IdP
and SP are exchanging info via SAML metadata, it is typical that you do
actually encrypt the data with a randomly generated symmetric key.  That
symmetric data encryption key in turn is encrypted with the recipient's
public key (e.g. obtained from metadata) and sent along with the
encrypted data as an xenc:EncryptedKey element.  Take a look at the XML
Encryption spec and relevant sections of SAML Core if you want to know
all the gory details.  The OpenSAML 2 Decrypter code handles all that
for you transparently, as long as you give it the right inputs.