ComponentSpace

Forums



Encrypted NameId how to decrypt


Encrypted NameId how to decrypt

Author
Message
slowcelica
slowcelica
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)

Group: Forum Members
Posts: 8, Visits: 30
I am trying to integrate with an Idp and they are sending over an encrypted nameId. It is not something that can be changed, I see options to decrypt the assertions but not the nameid. I am using the high level api, I've seen where this can be done using the core version but I haven't been able to find anything reference the regular asp.net version.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
In both the SAML for ASP.NET and SAML for ASP.NET Core products, we support encrypting the NameID included in the SAML logout request. However, neither product supports decrypting the NameID in the SAML assertion.

It's extremely rare to see the NameID or SAML attributes encrypted. Instead, it's much more common and makes more sense to encrypt the entire SAML assertion if more privacy beyond that provided by the transport layer security is required.

Is there any possibility the IdP can encrypt the SAML assertion rather than just the NameID?



Regards
ComponentSpace Development
slowcelica
slowcelica
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)

Group: Forum Members
Posts: 8, Visits: 30
ComponentSpace - 12/8/2021
In both the SAML for ASP.NET and SAML for ASP.NET Core products, we support encrypting the NameID included in the SAML logout request. However, neither product supports decrypting the NameID in the SAML assertion.

It's extremely rare to see the NameID or SAML attributes encrypted. Instead, it's much more common and makes more sense to encrypt the entire SAML assertion if more privacy beyond that provided by the transport layer security is required.

Is there any possibility the IdP can encrypt the SAML assertion rather than just the NameID?





Well then I won the lottery, it’s not possible for them to change encrypting the nameid, tried that first. I saw a post in the core forum that had a code snippet to decrypt it, but I’m just not sure how to do that using the asp.net libraries.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Please contact [email protected]. We might be able to add support in a beta.

To check exactly what you would like supported, please enable SAML trace and include the log file as an email attachment showing the encrypted Name ID.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace


Regards
ComponentSpace Development
slowcelica
slowcelica
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)

Group: Forum Members
Posts: 8, Visits: 30
ComponentSpace - 12/8/2021
Please contact [email protected]. We might be able to add support in a beta.

To check exactly what you would like supported, please enable SAML trace and include the log file as an email attachment showing the encrypted Name ID.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

For reference this last post is what I would like to do, but just in asp.net

https://www.componentspace.com/Forums/11218/Processing-decrypting-an-Assertion-containing-an-EncryptedID-element-someone-had-experience-example-?JumpToFirstUnreadPost=1

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
That link shows code that's part of the low-level API.

I'm assuming that when you call the high-level API, SAMLServiceProvider.ReceiveSSO, you'd like this to automatically decrypt the encrypted Name ID.

Is that correct?

Please contact us by email and include a log file showing the encrypted Name ID in the SAML response.

Thanks.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search