Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge changes to SAML Source response and metadata to support decryption of EncryptedAssertion elements. #62

Closed
nicolas-semaphor opened this issue Apr 17, 2024 · 4 comments
Assignees

Comments

@nicolas-semaphor
Copy link
Collaborator

nicolas-semaphor commented Apr 17, 2024

The base SAML source of Authentik does not support decryption of encrypted assertions from a SAML IdP, in our case the Context Handler of FKIS. Changes must be made to both the SAML metadata generator, such that the metadata specifies that assertions should be encrypted by the public key of the Service Provider (Authentik). An encryption key descriptor should also be added to the metadata, which contains the public key used for encryption.

Furthermore, the response processor also need to be modified, such that the EncryptedAssertion element in the SAMLResponse will be decrypted by the private key of the service provider. The Decrypted Assertion element should then replace the EncryptedAssertion element in the SAMLResponse.

A flag should be added to the SAML Source that controls whether or not the SP requests assertion should be encrypted by it's public key. For a basic implementation, that simply uses the existing signing key-pair already present in the source, a simple boolean on the SAML Source should suffice.

@janhalen
Copy link
Collaborator

Attempting to contribute this to upstream here: goauthentik/authentik#9172

@nicolas-semaphor
Copy link
Collaborator Author

Code is merged :-)

@nicolas-semaphor
Copy link
Collaborator Author

Not quite merged yet, some check are failing.

@nicolas-semaphor
Copy link
Collaborator Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants