You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The SAML standard allows for encrypting the assertion in the SAML response. The Auth0 docs on signing and encrypting SAML requests are very comprehensive. FusionAuth currently does not support encrypted SAML assertions. FusionAuth already supports signing SAML authentication requests and handles signed SAML assertions.
Solution
When FusionAuth is acting as the SAML IdP:
Allow configuring a certificate in Key Master that is used to encrypt assertions
Update Application configuration to provide settings for SAML encryption
Generate a symmetric key to encrypt the assertion according to the application configuration. A new key is used for each assertion
Use the configured certificate from Key Master to encrypt the symmetric key and include it in the SAML response
Alternatives/workarounds
none
Additional context
How assertions should be encrypted is hard to figure out from the documentation available online. A lot of places mention using AES128 or AES256. AES is symmetric so it can't be the key included in the metadata as mentioned above. https://auth0.com/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests#send-encrypted-saml-authentication-assertions mentions that it uses AES256 for encrypting the assertion and RSA-OAEP for the key transport (presumably the key used for encrypting the assertion). That would mean the certificate generated must adhere to that so it can be used.
It's also possible to encrypt the initial SAML authentication request using a public key provided by the IdP. That would be a separate feature request.
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
The text was updated successfully, but these errors were encountered:
We are preparing a release that will include the ability for FusionAuth to encrypt SAML assertions when acting as the SAML IdP. This issue has been updated to focus on that use case. Two other issues have been created to support encrypted assertions when FusionAuth is acting as the SAML SP and to update SAML metadata response(s) according to the spec.
Support SAML assertion encryption as IdP
Problem
The SAML standard allows for encrypting the assertion in the SAML response. The Auth0 docs on signing and encrypting SAML requests are very comprehensive. FusionAuth currently does not support encrypted SAML assertions. FusionAuth already supports signing SAML authentication requests and handles signed SAML assertions.
Solution
When FusionAuth is acting as the SAML IdP:
Alternatives/workarounds
none
Additional context
How assertions should be encrypted is hard to figure out from the documentation available online. A lot of places mention using AES128 or AES256. AES is symmetric so it can't be the key included in the metadata as mentioned above. https://auth0.com/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests#send-encrypted-saml-authentication-assertions mentions that it uses AES256 for encrypting the assertion and RSA-OAEP for the key transport (presumably the key used for encrypting the assertion). That would mean the certificate generated must adhere to that so it can be used.
It's also possible to encrypt the initial SAML authentication request using a public key provided by the IdP. That would be a separate feature request.
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
Documentation
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
The text was updated successfully, but these errors were encountered: