[Shib-Users] NameID Encryption Default Setting Change

93 views
Skip to first unread message

Chad La Joie

unread,
Jan 14, 2009, 2:07:43 AM1/14/09
to Shibboleth Users
Currently the default setting for NameIDs is encrypt them if the
transport is not providing end-to-end confidentiality. This is also
true for the assertions. Therefore in the default Shib 2 flow the IdP
ends up encrypting both the NameID and the Assertion. Since the NameID
is in the assertion encrypting it really isn't necessary and adds yet
another crypto operation to the IdP.

So, there has been a proposal to change the default setting to NOT
encrypt NameIDs (but to continue to encrypt the Assertion). Is anyone
currently relying on this default behavior such that changing it would
cause some sort of major issue for you?

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch

Chad La Joie

unread,
Jan 28, 2009, 3:01:58 AM1/28/09
to shibbole...@internet2.edu
Hearing no objection to this I will make this change in the next release.

Lukas Haemmerle

unread,
Jan 30, 2009, 9:01:39 AM1/30/09
to shibbole...@internet2.edu
Can this be turned off also for the currently deployed 2.x IdPs? If so,
what configuration option has to be toggled :)

I couldn't find anything on:
https://spaces.internet2.edu/display/SHIB2/SAML2StringNameIDEncoder
where I would have suspected to find something :)

The reason why I ask is that SimpleSAML currently cannot handle
encrypted nameids. Therefore, it would be great if we could turn off
encryption even before the next release :)

One more question regarding this: I assume that changing this (default)
setting doesn't require metadata or something else to be changed on the
SP side, right?

Cheers
Lukas

--
SWITCH
Serving Swiss Universities
--------------------------

Lukas Haemmerle, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 64, fax +41 44 268 15 68
lukas.h...@switch.ch, http://www.switch.ch

Peter Schober

unread,
Jan 30, 2009, 9:12:59 AM1/30/09
to shibbole...@internet2.edu
* Lukas Haemmerle <lukas.h...@switch.ch> [2009-01-30 15:00]:

> Can this be turned off also for the currently deployed 2.x IdPs? If so,
> what configuration option has to be toggled :)

checking the archives:

* Peter Schober <peter....@univie.ac.at> [2008-07-25 18:25]:
> * sanket....@gmail.com <sanket....@gmail.com> [2008-07-25 17:45]:
> > We have a Service Provider that accepts unencrypted accertions only.
> > My IDP is sending the response with <saml:EncryptedAssertion>.
> > Please let me know what should I change to make this saml response
> > go with <saml:Assertion>
>
> Add a RelyingParty element to conf/relying-party.xml with a profile
> configuration where encryptAssertions="never" (and possibly
> encryptNameIds="never", since I'd expect them to not like those
> either).
>
> https://spaces.internet2.edu/display/SHIB2/IdPXMLSigEnc

or

* Peter Schober <peter....@univie.ac.at> [2008-09-27 00:22]:
> * Russell Beall <be...@usc.edu> [2008-09-26 20:39]:
> > It will be nice to separate off this unusual SP.
>
> Just add another RelyingParty element with an empty
> ProfileConfiguration element, overriding the defaults as needed, e.g.
>
> <RelyingParty id="https://some-sp.example.edu/shibboleth"
> provider="https://your-idp.example.edu/shibboleth"
> defaultSigningCredentialRef="IdPCredential" >
> <ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
> encryptAssertions="never"
> encryptNameIds="never" />
> </RelyingParty>
>
> See https://spaces.internet2.edu/display/SHIB2/IdPXMLSigEnc or the
> default conf/relying-party.xml for more.

cheers,
-peter

--
peter....@univie.ac.at - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140

Peter Schober

unread,
Jan 30, 2009, 9:14:49 AM1/30/09
to shibbole...@internet2.edu
* Lukas Haemmerle <lukas.h...@switch.ch> [2009-01-30 15:00]:
> The reason why I ask is that SimpleSAML currently cannot handle
> encrypted nameids. Therefore, it would be great if we could turn off
> encryption even before the next release :)

this always was possible, and hab been discussed on both the
simplesamlphp list and here a few times.

> One more question regarding this: I assume that changing this (default)
> setting doesn't require metadata or something else to be changed on the
> SP side, right?

adjusting your saml:SAML2SSOProfile profile configuration is enough.

Paul Hethmon

unread,
Jan 30, 2009, 9:14:56 AM1/30/09
to Shibboleth Users
On 1/30/09 9:01 AM, "Lukas Haemmerle" <lukas.h...@switch.ch> wrote:

Can this be turned off also for the currently deployed 2.x IdPs? If so,
what configuration option has to be toggled :)

In relying-party.xml, change the <RelyingParty> for the particular SP. The <ProfileConfiguration> attribute of “encryptNameIds” should be set to a value of “never”. So something like this:

    
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />

Paul

-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----

Give a man a fire and he's warm for the day. But set fire to him and he's warm for the rest of his life.

 -- Terry Pratchett, Discworld

Lukas Haemmerle

unread,
Jan 30, 2009, 9:48:13 AM1/30/09
to shibbole...@internet2.edu
> In relying-party.xml, change the <RelyingParty> for the particular SP. The
> <ProfileConfiguration> attribute of ³encryptNameIds² should be set to a
> value of ³never². So something like this:
>
> <ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
> encryptAssertions="never" encryptNameIds="never" />

I added another RelyingParty and it indeed seems to work now also with
SimpleSAML. Thanks (also to Peter) :)

Reply all
Reply to author
Forward
0 new messages