[Idpy-discuss] encrypting responses
18 Jun
2018
18 Jun
'18
11:09 p.m.
I think I have
asked this before but I do not recall if I received a
definitive answer...
Does the pysaml2 IdP object (and therefore SATOSA) support sending an
encrypted SAML response to the SP?
The question is really about if the satosa saml frontend can be
configured to encrypt the authn-response assertions, right? Atm, I don't see any way to do this from the saml
frontend, but here's
a patch for you:
https://github.com/c00kiemon5ter/SATOSA/commit/8523309cc0ddad84dac68327ae66…
Thanks.
Unfortunately the encrypted assertion is not able to be consumed by a
Shibboleth SP. I suspect pysaml2 is doing something non-standard, but I
will have to dig into the XML to understand precisely what...
Thanks,
Scott
If so, what is the configuration option(s)?
The entry point to pysaml2 from saml frontend is
server.py:create_authn_response() which accepts the argument
'encrypt_assertion'.
pysaml2 already includes the configuration option 'encrypt_assertion'
but it does not seem to be used anywhere (I have talked about such
inconsistencies before.)
You should now be able to use 'encrypt_assertion' the same way you
would use 'sign_assertion' or 'sign_response'.
Try it out and let me know!