Unable to decrypt SAML Assertion (from Okta IdP)

[agilenovallc]

Description:
The following error is received when an encrypted SAML assertion is received via IdP POST from an Okta IdP to WSO2:

Caused by: org.wso2.carbon.identity.application.authenticator.samlsso.exception.SAMLSSOException: Unable to decrypt the SAML Assertion
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSSOResponse(DefaultSAML2SSOManager.java:518)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.executeSAMLReponse(DefaultSAML2SSOManager.java:383)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSAMLResponse(DefaultSAML2SSOManager.java:374)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processResponse(DefaultSAML2SSOManager.java:331)
at org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.processAuthenticationResponse(SAMLSSOAuthenticator.java:252)
... 67 more
Caused by: java.lang.IndexOutOfBoundsException: Index: 0
at java.util.Collections$EmptyList.get(Collections.java:4454)
at org.opensaml.xml.util.LazyList.get(LazyList.java:90)
at org.opensaml.xml.util.ListView.get(IndexedXMLObjectChildrenList.java:312)
at org.opensaml.xml.util.ListView.get(IndexedXMLObjectChildrenList.java:238)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.getDecryptedAssertion(DefaultSAML2SSOManager.java:1151)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSSOResponse(DefaultSAML2SSOManager.java:516)

Looking at the XML, Okta is sending the EncryptedKey as a child of EncryptedAssertion:
<saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" ...>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" ...
</saml2:EncryptedAssertion>

Looking at the DefaultSAMLSSOManager.java, WSO2 is expecting the EncryptedKeys as a child of KeyInfo, i.e. encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().

Shouldn't the code also check for keys using encryptedAssertion.getEncryptedKeys() to comply with xmlenc or am I missing something? I believe the xmlenc specification supports three different options for retrieving EncryptedKeys.

NOTE: I have verified that the SAML Assertion can be decrypted using WSO2's private key using other SAML libraries.

Suggested Labels:

Suggested Assignees:

Affected Product Version:
All? Demonstrable in WSO2IS 5.4.1 and 5.7.0

OS, DB, other environment details and versions:
Windows orLinux with H2 or SQL Server

Steps to reproduce:

1. Configure WSO2 as a SAML application in Okta, specifying WSO2's certificate, consumer assertion URL and Enable SAML Assertion Encryption
2. Configured Okta as an Identity Provider in WSO2 using metadata imported from Okta and enable SAML Assertion Encryption
3. Click on the Okta tile to initiate a SAML POST
4. Observe "Unable to decrypt SAML Assertion" error

Related Issues:
N/A

[thanujalk]

Moved to wso2/product-is#5475

[thanujalk]

Thanks for reporting the issue. I have added this to the IS 5.9.0 release milestone.