You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The base SAML source of Authentik does not support decryption of encrypted assertions from a SAML IdP, in our case the Context Handler of FKIS. Changes must be made to both the SAML metadata generator, such that the metadata specifies that assertions should be encrypted by the public key of the Service Provider (Authentik). An encryption key descriptor should also be added to the metadata, which contains the public key used for encryption.
Furthermore, the response processor also need to be modified, such that the EncryptedAssertion element in the SAMLResponse will be decrypted by the private key of the service provider. The Decrypted Assertion element should then replace the EncryptedAssertion element in the SAMLResponse.
A flag should be added to the SAML Source that controls whether or not the SP requests assertion should be encrypted by it's public key. For a basic implementation, that simply uses the existing signing key-pair already present in the source, a simple boolean on the SAML Source should suffice.
The text was updated successfully, but these errors were encountered:
The base SAML source of Authentik does not support decryption of encrypted assertions from a SAML IdP, in our case the Context Handler of FKIS. Changes must be made to both the SAML metadata generator, such that the metadata specifies that assertions should be encrypted by the public key of the Service Provider (Authentik). An encryption key descriptor should also be added to the metadata, which contains the public key used for encryption.
Furthermore, the response processor also need to be modified, such that the EncryptedAssertion element in the SAMLResponse will be decrypted by the private key of the service provider. The Decrypted Assertion element should then replace the EncryptedAssertion element in the SAMLResponse.
A flag should be added to the SAML Source that controls whether or not the SP requests assertion should be encrypted by it's public key. For a basic implementation, that simply uses the existing signing key-pair already present in the source, a simple boolean on the SAML Source should suffice.
The text was updated successfully, but these errors were encountered: