Support for SAML Decryption (decrypting SAML asserations

[akkornel]

Hello!

I know that containerproxy already has support for signing SAML requests. (I believe that was added to support SAML Logout?) I would like to request support for decrypting SAML assertions.

I see that the call to eu.openanalytics.containerproxy.auth.impl.saml.SAMLConfiguration.relyingPartyRegistration() does the setup on lines 151-154, using the configuration pulled through getSingingCredential(). Since that support is already in place, I wonder if it would be possible to copy that code, to provide decryptionX509Credentials to Spring's RelyingPartyRegistration. The problem is, I don't have much experience writing Java code, and no experience with Java build environments, which is why I'm not providing a PR myself, just an enhancement request.

So, why am I asking for it? Because my work is asking for it. I'm trying to set up Shinyproxy, using SAML authentication, where the IdP is running Shibboleth. My work has a policy, effective since late 2019, that new SPs must support decrypting SAML assertions, or go through an exceptions process. As an explanation for this need, they reference two vulnerabilities in SAML SPs, which would have been mitigated by using encrypted SAML assertions:

• From 2018, a vulnerability in Shibboleth's SP software.
• From 2019, a vulnerability in xmlseclibs, which led to a vulnerability in SimpleSAMLPHP.

(Our Shibboleth IdP also supports OIDC, but that does not work, because of #85.)

So, that is my enhancement request. I apologize if I missed any information, and if you have any questions about my request, please let me know!

[LEDfan]

Hi

I can have a look at implementing this, but it will not be included in the next release. However, I just replied to issue #85 , so I think you should be able to work with OpenID soon. In general, we also prefer OpenID over SAML, because of the better security and UX.