4:13 p.m.
Hi all,
I want to include a KeyDescriptor for use=encryption in the generated
SAML2 metadata. I'm talking about the
{host}/Saml2/proxy_saml2_backend.xml endpoint.
The following config works (i.e. SATOSA happily accepts encrypted
assertions), however the metadata endpoint does *not* include
use="encryption":
sp_config:
key_file: /etc/satosa/credentials/saml2backend.key
cert_file: /etc/satosa/credentials/saml2backend.crt
On the other hand, the following config does not work (i.e. SATOSA
throws an exception, once an encrypted assertion is received), however
the metadata endpoint *does* include use="encryption":
sp_config:
key_file: /etc/satosa/credentials/saml2backend.key
cert_file: /etc/satosa/credentials/saml2backend.crt
encryption_keypairs:
- key_file: /etc/satosa/credentials/saml2backend.key
cert_file: /etc/satosa/credentials/saml2backend.crt
I'm sure there's an easy solution. Anyone able to help?
Cheers,
David
12:09 a.m.
Hello and sorry for taking so long to look into this,
On Tue, 13 Nov 2018 at 17:13, David Huebner <david.huebner at daasi.de> wrote:
Hi all,
I want to include a KeyDescriptor for use=encryption in the generated
SAML2 metadata. I'm talking about the
{host}/Saml2/proxy_saml2_backend.xml endpoint.
The following config works (i.e. SATOSA happily accepts encrypted
assertions), however the metadata endpoint does *not* include
use="encryption":
sp_config:
key_file: /etc/satosa/credentials/saml2backend.key
cert_file: /etc/satosa/credentials/saml2backend.crt
On the other hand, the following config does not work (i.e. SATOSA
throws an exception, once an encrypted assertion is received), however
the metadata endpoint *does* include use="encryption":
sp_config:
key_file: /etc/satosa/credentials/saml2backend.key
cert_file: /etc/satosa/credentials/saml2backend.crt
encryption_keypairs:
- key_file: /etc/satosa/credentials/saml2backend.key
cert_file: /etc/satosa/credentials/saml2backend.crt
Using this config I have two KeyDescriptor elements, one with
use="signing" and the other with use="encryption". Receiving
encrypted
attributes works for me.
What is the exact error that you get? Do you have a log-file at hand?
I'm sure there's an easy solution. Anyone able
to help?
Currently using encryption_keypairs is the only way to get
use="encryption". This configuration is not very intuitive nor
helpful. To make things more complicated there's also a
'metadata_key_usage' configuration option (undocumented just like
encryption_keypairs; note to fix!). I am thinking that we should have
one configuration option named keypairs that would include the use of
the pair:
keypairs:
- key: /path/to/file.key
cert: /path/to/file.crt
use: encryption # or 'signing' or omitted
- key: other.key
cert: other.crt
# 'use' property will be omitted / can be used for both signing
and encryption
I think this is way more straightforward and would probably make the
code cleaner too.
Copying from the saml2 metadata specification[0] errata, to keep in mind:
[E62]A use value of "signing" means that the
contained key information is applicable to both signing and TLS/SSL operations performed
by the entity when acting in the enclosing role. A use value of "encryption"
means that the contained key information is suitable for use in wrapping encryption keys
for use by the entity when acting in the enclosing role. If the use attribute is omitted,
then the contained key information is applicable to both of the above uses.
[E68]The inclusion of multiple elements with the same use attribute (or no such
attribute) indicates that any of the included keys may be used by the containing role or
affiliation. A relying party SHOULD allow for the use of any of the included keys. When
possible the signing or encrypting party SHOULD indicate as specifically as possible which
key it used to enable more efficient processing.
[0]:
https://www.oasis-open.org/committees/download.php/56786/sstc-saml-metadata…
Cheers,
--
Ivan c00kiemon5ter Kanakarakis >:3
12:09 p.m.
Hi Ivan,
thanks for your answer. I do agree with your remarks on how to make
configuration more straightforward.
What is the exact error that you get? Do you have a
log-file at hand?
I've dumped the entire log-file (from entering saml2 backend
to the
error) to pastebin: https://pastebin.com/raw/Lbuw6xKH
It's actually rather weird. Decryption of the response works perfectly
fine, as you can see just before the error, I even get all my attributes.
And then it fails due to 'Exception("No assertion part")'.
Again, this is with the
sp_config:
key_file: /etc/satosa/credentials/saml2backend.key
cert_file: /etc/satosa/credentials/saml2backend.crt
encryption_keypairs:
- key_file: /etc/satosa/credentials/saml2backend.key
cert_file: /etc/satosa/credentials/saml2backend.crt
configuration. Once I remove the encryption_keypairs, it's smooth sailing...
Cheers,
David
2173
days inactive
2187
days old
2 comments
2 participants
participants (2)
-
david.huebner@daasi.de -
ivan.kanak@gmail.com