search

omniauth / omniauth-saml

A generic SAML strategy for OmniAuth
https://github.com/omniauth/omniauth-saml
Other
338 stars 206 forks source link

Support for encrypted assertions #98

Open dblessing opened 8 years ago

dblessing commented 8 years ago

Does omniauth-saml support encrypted assertions? ruby-saml does so maybe it's possible here and I'm just not seeing it. If anyone has insight, please share.

md5 commented 8 years ago

I haven't tried it, but the settings for omniauth-saml pass through to ruby-saml, so you should be able to set the private_key setting to make it work. The readme also mentions setting certificate, but I don't think that's needed for decrypting assertions (though it may be helpful if your IdP is trying to determine the target public key from the metadata URL).

I believe this has been possible since https://github.com/omniauth/omniauth-saml/pull/82 was merged. There is some further discussion in #50, #52, and #58.

jiongye commented 8 years ago

@dblessing I am able to use encrypted assertions, all you need is to set the 'private_key' and 'certificate' in the setting when you pass it to the saml provider.

pitbulk commented 8 years ago

@md5 certificate is required not for decrypt, but in order to offer this certificate on the SP metadata, so the IdP's admin can retrieve and use to encrypt the Assertion/NameID of the SAMLResponse.

md5 commented 8 years ago

@pitbulk I did mention that use case in my comment, but it's good to hear it directly from a ruby-saml developer like yourself.