OpenSAML user discussion

[Dan Ciarniello <>]

Ok.  Thanks for the info.

My preference is to simply encrypt the assertion but performance concerns 
have been raised about being forced to decrypt the assertion before being 
able to check its validity so I've been exploring alternative approaches.

Thanks again,
Dan.

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Cantor, Scott E.
Sent: Wednesday, March 02, 2011 4:57 PM
To: 

Subject: Re: [OpenSAML] RE: Encrypting multiple elements with one session key

On 3/2/11 5:11 PM, "Dan Ciarniello" 
<>
 wrote:
>I haven't tried it yet but I am pretty sure that I can generate an AES
>key using SecurityHelper.generateSymmetricKey() which I can then add to
>the EncryptionParameters object passed to the Encrypter.  What I don't
>know is how to add this key to the assertion.  What I'm looking to do
>would be something like:

Using exotic KeyInfo syntax will generally fail on most implementations,
and RetrievalMethod is all but "never use" at this point.

I don't know if the errata around encryption in SAML highlights a best
practice around this kind of key syntax, but it would be something to be
very careful with.

In general, nobody encrypts individual elements like this very often.
Encrypt the assertion and life is much simpler.

-- Scott