OpenSAML user discussion

[Brent Putman <>]

On 2/14/11 9:37 AM, Cantor, Scott E. wrote:
>> What does <xenc:CipherValue> field contains exactly and how can it be
>> generated within my client??
> 
> Holder of key doesn't involve XML encryption, at least not typically.



I'd agree that's true in our usual SAML world (Web SSO), but the people
involved more with the WS-Security/WS-Trust world seem to be oddly
concerned/obsessed/fixated with the symmetric proof key case, rather
than asymmetric.  I guess they perhaps assume that WS clients typically
don't have long-term key-pairs, and so since you're going to generate an
ephemeral proof key anyway, might as well do symmetric and be more
efficient.

I mention that since the poster mentioned STS and the example includes a
wsse:SecurityTokenReference, and what he described sounds like a
symmetric key case.

Anyway, to the original poster: you should probably take a look at the
XML Encryption spec if you really need to know about these details
(hint: the xenc:CipherValue contains the actual encrypted key data).

In terms of Java OpenSAML: Take a look at the
org.opensaml.xml.encryption.Encrypter class, in particular the
encryptKey(..) methods.  That's how you'd generate the xenc:EncryptedKey
element.

And along the lines of what Scott said, if your use case allows, you
could potentially save yourself some pain and just use an asymmetric
proof-of-possession keypair.  Then you don't have to deal with XML
Encryption - the STS would embed the client's public key as-is in the
Assertion's subject confirmation data.

--Brent