Skip to Content.
Sympa Menu

shibboleth-dev - Re: Shibboleth SP - Handling Encrypted Assertions

Subject: Shibboleth Developers

List archive

Re: Shibboleth SP - Handling Encrypted Assertions


Chronological Thread 
  • From: Scott Cantor <>
  • To:
  • Subject: Re: Shibboleth SP - Handling Encrypted Assertions
  • Date: Tue, 11 Mar 2008 23:46:26 -0400


wrote:
Does the Shibboleth SP have a requirement that Encrypted Assertions must include a copy of the x509 certificate used to encrypt the KeyInfo?

No.

I am trying to test the Shibboleth SP with a different SAML IDP product, and it is not including a copy of the SP’s encryption certificate, and here is the sequence of messages I see in the logfile:

Without the XML, there's really no way I could begin to diagnose it, but most likely there's a bug, or the EncryptedKey is invalid in some fashion, or not "typical" in some fashion.

The logging differences make me think the issue is the lack of including the X509Certificate, but I am not entirely sure if the problem is related to the KeyInfo encryption algorithm (another point of variance, the Shibboleth IDP uses rsa-oaep-mgf1p, but this product is using rsa-1_5 by default, and I have not fully investigated changing this algorithm).

I don't think we've explored the issues around padding and other factors that are supposedly buggy in either Java or OpenSSL, so it's entirely possible it's the algorithm. Or it could be something very simple.

-- Scott



Archive powered by MHonArc 2.6.16.

Top of Page