janhalen
commented
4 months ago Attempting to contribute this to upstream here: https://github.com/goauthentik/authentik/issues/9172
Closed nicolas-semaphor closed 3 weeks ago
janhalen
commented
4 months ago Attempting to contribute this to upstream here: https://github.com/goauthentik/authentik/issues/9172
nicolas-semaphor
commented
3 months ago Code is merged :-)
nicolas-semaphor
commented
2 months ago Not quite merged yet, some check are failing.
nicolas-semaphor
commented
3 weeks ago
The base SAML source of Authentik does not support decryption of encrypted assertions from a SAML IdP, in our case the Context Handler of FKIS. Changes must be made to both the SAML metadata generator, such that the metadata specifies that assertions should be encrypted by the public key of the Service Provider (Authentik). An encryption key descriptor should also be added to the metadata, which contains the public key used for encryption.
Furthermore, the response processor also need to be modified, such that the EncryptedAssertion element in the SAMLResponse will be decrypted by the private key of the service provider. The Decrypted Assertion element should then replace the EncryptedAssertion element in the SAMLResponse.
A flag should be added to the SAML Source that controls whether or not the SP requests assertion should be encrypted by it's public key. For a basic implementation, that simply uses the existing signing key-pair already present in the source, a simple boolean on the SAML Source should suffice.