Support SAML assertion encryption as IdP

[annismckenzie]

Support SAML assertion encryption as IdP

Problem

The SAML standard allows for encrypting the assertion in the SAML response. The Auth0 docs on signing and encrypting SAML requests are very comprehensive. FusionAuth currently does not support encrypted SAML assertions. FusionAuth already supports signing SAML authentication requests and handles signed SAML assertions.

Solution

When FusionAuth is acting as the SAML IdP:

1. Allow configuring a certificate in Key Master that is used to encrypt assertions
2. Update Application configuration to provide settings for SAML encryption
3. Generate a symmetric key to encrypt the assertion according to the application configuration. A new key is used for each assertion
4. Use the configured certificate from Key Master to encrypt the symmetric key and include it in the SAML response

Alternatives/workarounds

none

Additional context

How assertions should be encrypted is hard to figure out from the documentation available online. A lot of places mention using AES128 or AES256. AES is symmetric so it can't be the key included in the metadata as mentioned above. https://auth0.com/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests#send-encrypted-saml-authentication-assertions mentions that it uses AES256 for encrypting the assertion and RSA-OAEP for the key transport (presumably the key used for encrypting the assertion). That would mean the certificate generated must adhere to that so it can be used.

It's also possible to encrypt the initial SAML authentication request using a public key provided by the IdP. That would be a separate feature request.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Documentation

• Application API updates
• UI updates for Application SAML v2 configuration
• We should find somewhere in the docs to indicate we support encrypting assertions as the IdP
• Document SAML Assertion Encryption as the IdP fusionauth-site#2346

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[annismckenzie]

https://backstage.forgerock.com/docs/am/7/saml2-guide/saml2-encryption.html at the top in How Does Encryption Work? explains it better. Pretty involved both on the IdP as well as on the FusionAuth side.

[spwitt]

• Add support for SAML Assertion Encryption fusionauth-samlv2#6
• Sign failed responses, too, if asked fusionauth-samlv2#8

Internal

• https://github.com/FusionAuth/fusionauth-app/pull/271
• https://github.com/FusionAuth/fusionauth-app/pull/280

[spwitt]

We are preparing a release that will include the ability for FusionAuth to encrypt SAML assertions when acting as the SAML IdP. This issue has been updated to focus on that use case. Two other issues have been created to support encrypted assertions when FusionAuth is acting as the SAML SP and to update SAML metadata response(s) according to the spec.

• Support SAML assertion encryption as SP #2378
• Update SAML SP Metadata to Include Encryption KeyDescriptor #2380