Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assertion encryption not working. #83

Open
mkgn opened this issue Dec 21, 2022 · 3 comments
Open

Assertion encryption not working. #83

mkgn opened this issue Dec 21, 2022 · 3 comments

Comments

@mkgn
Copy link

mkgn commented Dec 21, 2022

I am running node v14.8

To test assertion encryption, I created a key pair (btw.. without encryption everything works fine)

openssl genrsa -out assertion-enc-key.pem 2048 
openssl rsa -in assertion-enc-key.pem -outform PEM -pubout -out assertion-pub-key.pem <--extracted public key from above file

run the tool using below command line options.

node app.js --acsUrl http://cockerham.stratus.lk/Tenant/TestSsoAssertionConsumer 
--audience http://cockerham.stratus.com 
--encryptAssertion true 
--encryptionPublicKey ./assertion-pub-key.pem 
--encryptionCert ./assertion-enc-key.pem

Once I login; in the console it shows

Generating SAML Response using => { ... data to generate ... }

Then it gives below error and quits. I feel I may be using the options/keys wrong?

image
@jazelly
Copy link

jazelly commented Mar 28, 2023
edited
Loading

The openssl genrsa command generates an RSA private key, which should not be filled into the --encryptionCert field.

encryptionPublicKey is used for digital signatures, which is typically stored at IDP and SP normally will sign with the corresponding private key on their end, while encryptionCert is used for encrypting the sensitive information during communication, so you can have SP to encrypt the request and IDP just need to hold the private key to decrypt it.

TL;DR
You need 2 public keys from 2 pairs of keys. You can use the idp-public-cert.pem in the codebase for the encryptionCert field, or you can generate a pair by following the README.

As for the encryptionPublicKey, you can do
openssl genpkey -algorithm RSA -out private_key.pem -aes256
openssl rsa -in private_key.pem -pubout -out public_key.pem

With corrected form of keys, this issue should be fixed paticularly. Undeniably, this is a bug within the samlp package it's using.

@zhengxiangyue
Copy link

Hi @jazelly, Can I have some questions? This app has been working well for my local testing. But recently I need to use the "assertion encryption" feature and I can only get a "CA.cer" certificates(from okta). I'm not sure what encryptionPublicKey should be and where to get it? Thank you!

@jazelly
Copy link

jazelly commented Jul 7, 2023

@zhengxiangyue My understanding is this:

I can only get a "CA.cer" certificates(from okta)

You shouldn't need to use a third-party IDP's certificate, as this repo acts as a mock IDP

I'm not sure what encryptionPublicKey should be and where to get it

Like what I suggested, you can generate a pair of public key and private key. The encryptionPublicKey should be the public key.

Hope that helps

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mkgn @zhengxiangyue @jazelly