OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] encrypting saml protocol messages

On 10/31/11 3:27 PM, swu@axolotl.com wrote:
> Thanks, Hal,
> agreed.. but can't a Saml Response element contain an encrypted element
> inside of it? 

A SAML 2.0 Response can directly contain an EncryptedAssertion, or a
(non-encrypted) Assertion can contain an EncryptedID in its Subject or
one or more EncryptedAttribute's in an AttributeStatement.

> If we detect the EncryptedElement 

There isn't an element here literally called 'EncryptedElement', there
are the SAML 2.0 saml2:Encrypted* elements above, which will contain an
XML Encryption-defined xmlenc:EncryptedData and possibly zero or more

> in DOM/SAX then before
> passing things to OpenSAML (which is the reference implementation we are
> using), we should decrypt it first.

The OpenSAML library specifically has support for encrypting and
decrypting the SAML 2.0 Encrypted* things directly in our XMLObject
abstraction, as well as support for handling key resolution, key
encryption key (KEK) decryption, etc.  You shouldn't need to do anything
at the DOM/SAX level when using OpenSAML, unless you have very odd and
atypical requirements vis-a-vis SAML and XML Encryption.

You didn't mention Java vs C++, but the Java docs on encryption support
are in the users guide here:


If you need specific guidance or have questions on using these features,
you are welcome to continue this discussion on our OpenSAML developer's
list (which is recently now co-resident with the Shibboleth developer's


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]