OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: role of public key in encrypted assertion

Hi. I just recived the message below from an SP/RP we're trying to
federate with. Logins (SAML2.0 WebSSO with encrypted assertions) fail
at their end (custom SAML implementation, AFAICT) and our IdP
implementation is put to the blame for that.

While I'd prefer to have the SP tell me specifically what part of
which spec they think we're violating (instead of shifting the burdon
of proof to me to show that we're in compliance) I'd like to get this
sorted out ASAP and so would ask for something I can quote to the SP,
or hints to the relevant spec.

> The problem is that the certificate for IDP
> https://idp.example.org/saml is different in the metadata and in the
> SAML Response.
> Metadata certificate
> <ds:X509Certificate>
[removed public key of our IdP]
> </ds:X509Certificate>
> SAML Response certificate
> <ds:X509Certificate>
[removed public key of the SP, to which the assertion was encrypted]
> </ds:X509Certificate>

This message (that's all of it) seems to imply that the incriminated
key at:
should be the IdP's public key.
From glancing over XMLenc (section 3.5.1) and section 3.2.2 of the old
"SAML Implementation Guidelines" (returned by $searchengine) I
conclude that the SP's public key is included in order to inform the
SP which of its keys had been used to encrypt the payload (encryption
Furthermore my guess is that the SP's tech-c (writing the above to me)
is mistaken and thinks of (unencrypted) XMLsig, where it would make
sense to include the issuer's public key in order to aid the SP in
verifying the issuer's signature.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]