KeyDescriptor encryption in SAML2 SP metadata

1,184 views
Skip to first unread message

Pavel Šejnoha

unread,
Apr 14, 2009, 4:35:43 AM4/14/09
to simple...@googlegroups.com
Hi,

i have a problem with logging in to shibooleth 2.1 IdP with enabled
encryptAssertions.

Shibboleth write in response:

<samlp:StatusMessage>Unable to encrypt assertion</samlp:StatusMessage>

Explanation from Shibboleth web: Common Identity Provider Errors

edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler: Unable to construct encrypter, caused by: org.opensaml.xml.security.SecurityException: Key encryption credential may not be null

If the IdP is configured to encrypt assertions or name ID's to a
particular SP, the metadata for the SP (as held by the IdP) must contain
the public key that will be used for key encryption. This key encryption
key (usually a public key or certificate) must be represented in
metadata within the EntityDescriptor/SPSSODescriptor/KeyDescriptor for
the SP in question. The KeyDescriptor must either omit the 'use'
attribute or have a value of 'use="encryption"'. The KeyInfo contained
within the KeyDescriptor must contain either the SP's certificate in an
X509Data/X509Certificate element, or must contain the SP's raw public
key value in a KeyValue element.

I'm attaching simple patch that adds second element KeyDescriptor (with
attribute 'use="encryption"') to SAML2 SP metada.

Pavel

KeyDescriptor_Encryption_in_SAML2_SP_metadata.patch
signature.asc

Peter Schober

unread,
Apr 14, 2009, 9:09:59 AM4/14/09
to simple...@googlegroups.com
* Pavel Šejnoha <sej...@ro.vutbr.cz> [2009-04-14 10:36]:

> I'm attaching simple patch that adds second element KeyDescriptor (with
> attribute 'use="encryption"') to SAML2 SP metada.

How comes I never had to do this?
(Maybe I always tuned the XML metadata by hand?)

cheers,
-peter

Olav Morken

unread,
Apr 15, 2009, 3:06:21 AM4/15/09
to simple...@googlegroups.com

Until recently (revision 1369, 2009-03-04) the 'use' attribute wasn't
included on the KeyDescriptor element. I don't remember the specifics,
but I believe that some SP won't use the key for validation the unless
use="signing" was set.

--
Olav Morken

Pavel Šejnoha

unread,
Apr 15, 2009, 3:59:10 AM4/15/09
to simple...@googlegroups.com
Olav Morken píše v St 15. 04. 2009 v 09:06 +0200:


Shibboleth 2.1 IdP need for encryption assertations:

1.) two KeyDescriptors (use=signing + use=encryption)

or

2.) one KeyDescriptor without attribute use

In our EduID Federation have all shibboleth SP two KeyDecriptors.
Shibboleth IdP have only one KeyDescriptor using attribute use (signing)
or without him.

http://www.eduid.cz/docs/eduid/metadata/eduid-metadata.xml


signature.asc

Peter Schober

unread,
Apr 15, 2009, 8:29:04 AM4/15/09
to simple...@googlegroups.com
* Olav Morken <ola...@stud.ntnu.no> [2009-04-15 09:06]:

> Until recently (revision 1369, 2009-03-04) the 'use' attribute wasn't
> included on the KeyDescriptor element. I don't remember the specifics,
> but I believe that some SP won't use the key for validation the unless
> use="signing" was set.

Ah OK, see also the Approved Erratum to SAML 2.0 Metadata, E62 (p.16, line
659) making the use of the 'use' attribute more explicit:
http://www.oasis-open.org/committees/download.php/22387/sstc-saml-metadata-errata-2.0-wd-03-diff.pdf
cheers,
-peter

Olav Morken

unread,
Apr 16, 2009, 2:55:43 AM4/16/09
to simple...@googlegroups.com

This should now be fixed. I changed the code so that it always adds
two KeyDescriptor-elements - including for a SAML 2 IdP. (Not that
anything sent to the IdP is currently encrypted.)

Thanks for reporting this, and for including a patch!

--
Olav Morken

Reply all
Reply to author
Forward
0 new messages