Re: SAML XML encryption and XML signature
295 views
Skip to first unread message
Olav Morken
Jun 27, 2012, 2:56:32 AM6/27/12
to simple...@googlegroups.com
On Mon, Jun 18, 2012 at 13:11:07 -0700, jeetu p wrote:
> Hi,
>
> My question is, if you are the IDP and you are generating the Assertion
>
> what's the order of encryption and signature
It depends. If you sign the Assertion-element, the signature must be
applied before it is encrypted. (After all, the Signature-element is
inside the Assertion-element.)
If you sign the Response-element, the signature is applied after the
Assertion-element has been transformed into an
EncryptedAssertion-element.
> is it calculate signature and then do encryption or do encryption first and
> then calculate signature
>
> Also, is the signature mandatory as per SAML 2.0 standards
Not if you have a different way to validate the authenticity the
message. E.g. using the HTTP-Artifact binding, you could use the SSL
certificates of the endpoint to validate it. From section 4.1.4.4
of the SAML 2.0 profile specification:
Either the SAML binding used to dereference the artifact or message
signatures can be used to authenticate the parties and protect the
messages.
Best regards,
Olav Morken
UNINETT / Feide
> Hi,
>
> My question is, if you are the IDP and you are generating the Assertion
>
> what's the order of encryption and signature
It depends. If you sign the Assertion-element, the signature must be
applied before it is encrypted. (After all, the Signature-element is
inside the Assertion-element.)
If you sign the Response-element, the signature is applied after the
Assertion-element has been transformed into an
EncryptedAssertion-element.
> is it calculate signature and then do encryption or do encryption first and
> then calculate signature
>
> Also, is the signature mandatory as per SAML 2.0 standards
Not if you have a different way to validate the authenticity the
message. E.g. using the HTTP-Artifact binding, you could use the SSL
certificates of the endpoint to validate it. From section 4.1.4.4
of the SAML 2.0 profile specification:
Either the SAML binding used to dereference the artifact or message
signatures can be used to authenticate the parties and protect the
messages.
Best regards,
Olav Morken
UNINETT / Feide
Reply all
Reply to author
Forward
0 new messages