locked
when does SAML token gets signed and encrypted RRS feed

  • Question

  • Created SAML token manually  and set signing and encrypting credentials then serialized into memory

    SecurityTokenDescriptor descriptor = new SecurityTokenDescriptor ()

    descriptor.encryptingcredentials //set to x509

    descriptor.signingcredentials //set

    Saml2SecurityTokenHandler tokenHandler = new Saml2SecurityTokenHandler();
    Saml2SecurityToken token = tokenHandler.CreateToken(descriptor) as Saml2SecurityToken;

    tokenHandler.WriteToken(xmlwriter, token);

    When does token get signed and encrypted? I would like to send it to client as return value to method signed and encrypted. Did not find much in documentation

     


    ajit
    Thursday, January 6, 2011 1:19 AM

Answers

  • OK - i just double checked reflector - the way it works is like this:

    - you create a SAML security token
    - you wrap that token in an EncryptedSecurityToken (passing in the encrypting credentials)

    - you then create a collection of handlers (adding the encrypted token handler and the saml token handler)
    - when you call WriteToken on the collection (passing in the encrypted security token)
      - the encrypted STH internally first calls the SAML token handler to produce the clear text token
      - and then encrypts the clear text token into a <EncryptedData> element

    This is a nice design, since it decouples the actual security token type from the xml encryption.

    Makes sense?


    Dominick Baier | thinktecture | http://www.leastprivilege.com
    • Marked as answer by chintapali Thursday, January 6, 2011 6:37 PM
    Thursday, January 6, 2011 6:19 PM

All replies

  • IIRC you need to create a token handler collection that includes the SAML token handler and the EncryptedSecurityTokenHandler.
    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Thursday, January 6, 2011 5:18 AM
  •  

    EncryptedSecurityTokenHandler handles decrypting of the token. Where is token actually encrypted?After I create saml2token with signing credentials and encrypting credentials?

     

     

     


    ajit

    • Edited by chintapali Thursday, January 6, 2011 3:43 PM
    Thursday, January 6, 2011 3:23 PM
  • you can programmatically create a SecurityTokenHandlerCollection - and add the handlers to it.
    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Thursday, January 6, 2011 3:43 PM
  • Thanks for all your responses.

    I understand that part but what I dont get is where is encrypting/signing of the tokens handled.

    tokenHandler.WriteToken(xmlwriter, token); //does this call actually encrypt the token?

     

     

     


    ajit
    Thursday, January 6, 2011 6:08 PM
  • OK - i just double checked reflector - the way it works is like this:

    - you create a SAML security token
    - you wrap that token in an EncryptedSecurityToken (passing in the encrypting credentials)

    - you then create a collection of handlers (adding the encrypted token handler and the saml token handler)
    - when you call WriteToken on the collection (passing in the encrypted security token)
      - the encrypted STH internally first calls the SAML token handler to produce the clear text token
      - and then encrypts the clear text token into a <EncryptedData> element

    This is a nice design, since it decouples the actual security token type from the xml encryption.

    Makes sense?


    Dominick Baier | thinktecture | http://www.leastprivilege.com
    • Marked as answer by chintapali Thursday, January 6, 2011 6:37 PM
    Thursday, January 6, 2011 6:19 PM
  • This makes sense but looking in reflector even Saml2SecurityTokenHandler is encrypting the token. Having 2 different tokens is better design.

     

     


    ajit
    Thursday, January 6, 2011 6:37 PM
  • IIRC SAML 2 allows encrypting individual statement - that's probably what you see in the saml2 token handler code. The general design stays the same.
    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Thursday, January 6, 2011 6:44 PM