search

mcguinness / saml-idp

Simple SAML Identity Provider (IdP) for Node
MIT License
441 stars 172 forks source link

Assertion encryption not working. #83

Open mkgn opened 1 year ago

mkgn commented 1 year ago

I am running node v14.8

To test assertion encryption, I created a key pair (btw.. without encryption everything works fine)

openssl genrsa -out assertion-enc-key.pem 2048 
openssl rsa -in assertion-enc-key.pem -outform PEM -pubout -out assertion-pub-key.pem <--extracted public key from above file

run the tool using below command line options.

node app.js --acsUrl http://cockerham.stratus.lk/Tenant/TestSsoAssertionConsumer 
--audience http://cockerham.stratus.com 
--encryptAssertion true 
--encryptionPublicKey ./assertion-pub-key.pem 
--encryptionCert ./assertion-enc-key.pem

Once I login; in the console it shows

Generating SAML Response using => { ... data to generate ... }

Then it gives below error and quits. I feel I may be using the options/keys wrong?

image

jazelly commented 1 year ago

The openssl genrsa command generates an RSA private key, which should not be filled into the --encryptionCert field.

encryptionPublicKey is used for digital signatures, which is typically stored at IDP and SP normally will sign with the corresponding private key on their end, while encryptionCert is used for encrypting the sensitive information during communication, so you can have SP to encrypt the request and IDP just need to hold the private key to decrypt it.

TL;DR You need 2 public keys from 2 pairs of keys. You can use the idp-public-cert.pem in the codebase for the encryptionCert field, or you can generate a pair by following the README.

As for the encryptionPublicKey, you can do openssl genpkey -algorithm RSA -out private_key.pem -aes256 openssl rsa -in private_key.pem -pubout -out public_key.pem

With corrected form of keys, this issue should be fixed paticularly. Undeniably, this is a bug within the samlp package it's using.

zhengxiangyue commented 1 year ago

Hi @jazelly, Can I have some questions? This app has been working well for my local testing. But recently I need to use the "assertion encryption" feature and I can only get a "CA.cer" certificates(from okta). I'm not sure what encryptionPublicKey should be and where to get it? Thank you!

jazelly commented 1 year ago

@zhengxiangyue My understanding is this:

I can only get a "CA.cer" certificates(from okta)

You shouldn't need to use a third-party IDP's certificate, as this repo acts as a mock IDP

I'm not sure what encryptionPublicKey should be and where to get it

Like what I suggested, you can generate a pair of public key and private key. The encryptionPublicKey should be the public key.

Hope that helps