Forum Discussion
Error Encrypting a SAML Assertion from APM
- Nov 28, 2016
Certificates in question are used for a symmetric key transport when assertion (or parts of it) needs to be encrypted by APM as IdP.
According to SAML 2.0 specification, or more precisely xmlenc-core (https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/), there are only two algorithms that can be used for key transport:
Key Transport REQUIRED RSA-v1.5 http://www.w3.org/2001/04/xmlencrsa-1_5 REQUIRED RSA-OAEP http://www.w3.org/2001/04/xmlencrsa-oaep-mgf1p
With later RSA-OAEP algorithm not recommended to be used due to potential security implications!
Therefore, according to SAML specification, DSA certificates are not allowed to be used for encryption.
Certificates in question are used for a symmetric key transport when assertion (or parts of it) needs to be encrypted by APM as IdP.
According to SAML 2.0 specification, or more precisely xmlenc-core (https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/), there are only two algorithms that can be used for key transport:
Key Transport REQUIRED RSA-v1.5 http://www.w3.org/2001/04/xmlencrsa-1_5 REQUIRED RSA-OAEP http://www.w3.org/2001/04/xmlencrsa-oaep-mgf1p
With later RSA-OAEP algorithm not recommended to be used due to potential security implications!
Therefore, according to SAML specification, DSA certificates are not allowed to be used for encryption.
Perfect thanks Sergei! This is along the lines of what I was thinking must be hapening. I will change them to RSA.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com