OpenSAML user discussion

["Pantvaidya, Vishwajit" <>]

 

Pantvaidya, Vishwajit wrote:

> Does the test IdP let me provide a secret key as well?

No, I don't think the TestShib IdP lets you provide a secret key.  It's

just storing the info you give it in public metadata, so that's counter

to that approach.  Actually, I don't believe there's any currently

defined mechanism to represent symmetric keys in a ds:KeyInfo, which is

used by SAML metadata.

 

[Pantvaidya, Vishwajit] So what you mean is that even with SAML2.0 there is no way to use secret keys?

 

…Re: encryption:  When you do encryption in SAML, especially if the IdP

and SP are exchanging info via SAML metadata, it is typical that you do

actually encrypt the data with a randomly generated symmetric key.  That

symmetric data encryption key in turn is encrypted with the recipient's

public key (e.g. obtained from metadata) and sent along with the

encrypted data as an xenc:EncryptedKey element.  Take a look at the XML…

 

[Pantvaidya, Vishwajit] Just to understand this, why not just encrypt with the public key? Does this provide any additional level of security (though I cannot imagine how).

 

 

 

- Vishwajit.