[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] encrypting saml protocol messages
On 10/31/11 3:27 PM, swu@axolotl.com wrote: > Thanks, Hal, > agreed.. but can't a Saml Response element contain an encrypted element > inside of it? A SAML 2.0 Response can directly contain an EncryptedAssertion, or a (non-encrypted) Assertion can contain an EncryptedID in its Subject or one or more EncryptedAttribute's in an AttributeStatement. > If we detect the EncryptedElement There isn't an element here literally called 'EncryptedElement', there are the SAML 2.0 saml2:Encrypted* elements above, which will contain an XML Encryption-defined xmlenc:EncryptedData and possibly zero or more xmlenc:EncryptedKey's. > in DOM/SAX then before > passing things to OpenSAML (which is the reference implementation we are > using), we should decrypt it first. > The OpenSAML library specifically has support for encrypting and decrypting the SAML 2.0 Encrypted* things directly in our XMLObject abstraction, as well as support for handling key resolution, key encryption key (KEK) decryption, etc. You shouldn't need to do anything at the DOM/SAX level when using OpenSAML, unless you have very odd and atypical requirements vis-a-vis SAML and XML Encryption. You didn't mention Java vs C++, but the Java docs on encryption support are in the users guide here: https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUserManJavaXMLEncryption If you need specific guidance or have questions on using these features, you are welcome to continue this discussion on our OpenSAML developer's list (which is recently now co-resident with the Shibboleth developer's list). http://shibboleth.internet2.edu/lists.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]