Discussion:
encrypted assertions
Mark K. Miller
2014-08-19 18:51:41 UTC
Permalink
Please forgive me if this has already been answered on this list. I
suspect it has been, but I'm sure it would easily elude my searching
'skills.'

If an implementation claims to support SAML2 but does not support
encrypted assertions, can that claim be completely correct?

Phrasing the intent of my question another way (just in case I'm too
confusing for anyone,) are encrypted assertions part of the SAML protocol
spec?

Those who know my protocol expertise will know anything much beyond single
word, single syllable answers are likely to confuse me further.

Thanks,

Max
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Nate Klingenstein
2014-08-19 18:55:56 UTC
Permalink
Max,
Post by Mark K. Miller
If an implementation claims to support SAML2 but does not support
encrypted assertions, can that claim be completely correct?
"Support SAML 2.0" is a vague statement today because the initial normative conformance specifications weren't especially helpful in the first place and they were written a looong time ago. It would be more meaningful to ask them about the SAML2Int work.

http://saml2int.org
Post by Mark K. Miller
Phrasing the intent of my question another way (just in case I'm too
confusing for anyone,) are encrypted assertions part of the SAML protocol
spec?
Yes, the encryption is in there. 2.3.4.

http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

Hope this helps,
Nate.
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Tmonte
2014-08-19 18:59:35 UTC
Permalink
If you use ArcGIS Online with Enterprise Logins, encrypted assertions are
not supported. You will get errors
Post by Nate Klingenstein
Max,
Post by Mark K. Miller
If an implementation claims to support SAML2 but does not support
encrypted assertions, can that claim be completely correct?
"Support SAML 2.0" is a vague statement today because the initial
normative conformance specifications weren't especially helpful in the
first place and they were written a looong time ago. It would be more
meaningful to ask them about the SAML2Int work.
http://saml2int.org
Post by Mark K. Miller
Phrasing the intent of my question another way (just in case I'm too
confusing for anyone,) are encrypted assertions part of the SAML protocol
spec?
Yes, the encryption is in there. 2.3.4.
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
Hope this helps,
Nate.
--
To unsubscribe from this list send an email to
PeteDiak
2014-08-19 19:02:14 UTC
Permalink
ArcGIS Online does not support this. See:
http://doc.arcgis.com/en/arcgis-online/reference/configure-shibboleth.htm

Turn off assertion encryption in the Shibboleth IdP.
ArcGIS Online does not support encrypted SAML assertions from the identity
providers, so you need to turn off assertion encryption in Shibboleth. To
turn off assertion encryption, open the
SHIBBOLETH_HOME/conf/relying-party.xml file and search for the "saml:
SAML2SSOProfile" section within the element. In this section, change the
value of encryptAssertions to never.



--
View this message in context: http://shibboleth.1660669.n2.nabble.com/encrypted-assertions-tp7605720p7605723.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Chris Phillips
2014-08-19 19:03:00 UTC
Permalink
From my perspective, it's a specific implementation profile on the SAML2
spec, it's there to be used but not required to be 'enabled' (or is it?)
others may have more insight.

For instance, ADFS supports SAML2 but sending it an encrypted assertion
gives it grief (at least my instance).
(yes, my signing key is separate from my encryption key -- still borks and
event viewer is oh so helpful *cough*.
If anyone has this clearly sorted out I'd love to hear from you).

So, I say yes it's SAML2 capable.

Nate's SAML2int.org reference is a good touchstone item to use as a
yardstick for what your asking..

Chris.
Please forgive me if this has already been answered on this list. I
suspect it has been, but I'm sure it would easily elude my searching
'skills.'
If an implementation claims to support SAML2 but does not support
encrypted assertions, can that claim be completely correct?
Phrasing the intent of my question another way (just in case I'm too
confusing for anyone,) are encrypted assertions part of the SAML protocol
spec?
Those who know my protocol expertise will know anything much beyond single
word, single syllable answers are likely to confuse me further.
Thanks,
Max
--
To unsubscribe from this list send an email to
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Cantor, Scott
2014-08-19 19:38:52 UTC
Permalink
From my perspective, it's a specific implementation profile on the SAML2
spec, it's there to be used but not required to be 'enabled' (or is it?)
others may have more insight.
It's required to implement, but not to enable.
For instance, ADFS supports SAML2 but sending it an encrypted assertion
gives it grief (at least my instance).
They handle it, AFAIK.
(yes, my signing key is separate from my encryption key -- still borks and
event viewer is oh so helpful *cough*.
If anyone has this clearly sorted out I'd love to hear from you).
When I've tested against ADFS, I've done it with encryption on.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Cantor, Scott
2014-08-19 19:37:35 UTC
Permalink
Post by Mark K. Miller
If an implementation claims to support SAML2 but does not support
encrypted assertions, can that claim be completely correct?
In the sense of being conformant with any defined standard conformance
class, no, encryption is a MTI feature (mandatory to implement).

No vendor that doesn't support encryption is going to be aware that a
thing called SAML conformance exists of course.

As a deployment matter, nothing is going to require that somebody support
encryption. It's an optional-to-use feature that we happen to enable by
default.
Post by Mark K. Miller
Phrasing the intent of my question another way (just in case I'm too
confusing for anyone,) are encrypted assertions part of the SAML protocol
spec?
Encryption is something you do to assertions or bits of data inside them,
it's not part of the protocol layer in SAML. It's defined by the core SAML
spec document, though.
Post by Mark K. Miller
Those who know my protocol expertise will know anything much beyond single
word, single syllable answers are likely to confuse me further.
Please read the above as "blorg".

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Mark K. Miller
2014-08-19 22:00:52 UTC
Permalink
Post by Cantor, Scott
Post by Mark K. Miller
Those who know my protocol expertise will know anything much beyond
single word, single syllable answers are likely to confuse me further.
Please read the above as "blorg".
Perfect! I knew I could count on Scott for the answer I was looking for!
Post by Cantor, Scott
-- Scott
Seriously, though, I'll be putting your first sentence to good use. As
always, THANK YOU!!!

Max
Post by Cantor, Scott
--
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Loading...