Friday, 22 July 2022

SAML verification SP/IDP, encryption overview


https://security.stackexchange.com/questions/147319/how-does-saml-signature-exchange-work-between-idp-and-sp

How does SP and IDP verify each other 

- through certs and signature

SP and IDP verify each other by the certificate provided to each other

SP need match the certificate it has stored with the x509 certs send from IDP with SAML

then, SP will use the public key in the x509cert to decrpt signature signed by IDP's private key


"

  • IDP has its own public (PB1) and private (PV1) pair
  • SP has its own public (PB2) and private (PV2) pair

Now when an IDP has to sign a data, it does so by using it Private key PV1. Then SP can verify it using the public key PB1 accessible to SP via metadata of IDP / KeyInfo.

Likewise, if SP has to sign data, it does so using its own private key PV2 then IDP can verify the sign data using public key PB2 accessible to IDP via metadata of SP/ KeyInfo."


https://www.componentspace.com/forums/8819/is-it-required-to-encrypted-the-assertion-in-idp-sso-response-what-is-the-benefit-of-encrypting-the-

SAML encryption (If needed symmetric key will be created by IDP randomly and encrypted with SP public key. Data is encrypted with symmetric key. SP will decrypt symmetric key first then decrypt data)

 1. Encrypting the SAML assertion is optional. In most situations it isn't encrypted and privacy is provided at the transport layer using HTTPS.


2. It's an extra level of security that's enabled if the SAML assertion contains particularly sensitive user information or the environment dictates the need. HTTPS should always be used so SAML assertion encryption is on top of the security provided at the transport layer. If there are intermediate network nodes, the HTTPS traffic may be decrypted. The SAML assertion will remain encrypted from IdP through to SP regardless of any intermediate network nodes.

3. Instead of the <Assertion> node there's an <EncryptedAssertion> Node.


If needed encryption : 

The IdP encrypts the SAML assertion with a random symmetric key which in turn is encrypted with the SP's public key.
The SP uses its private key to decrypt the symmetric key which in turn is used to decrypt the SAML assertion.
This ensures that only the SP can decrypt the SAML assertion.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)