The issue was with something else. I just reused the code that processed POST binding to also process Redirect binding; but with Redirect binding, the payload is deflated, so the code for POST cannot be reused directly.
How to switch off logout encryption in simplesamlphp
-
28-06-2022 - |
Question
All my logout responses from simplesamlphp IdP come encrypted. I looked in simplesamlphp docs but cannot find any option to switch off encryption.
(I have logout signing on; but signing should be independent of encryption, and use Redirect binding)
Is it possible to send logout responses via Redirect binding inencrypted? Or is always on by default for some reason?
Solution 2
OTHER TIPS
Paramenter 'assertion.encryption' defined on IdP remote metadata
Whether assertions received from this IdP must be encrypted. The default value is FALSE. If this option is set to TRUE, assertions from the IdP must be encrypted. Unencrypted assertions will be rejected.
Note that this option overrides the option with the same name in the SP configuration.
Reference: http://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
Parameter 'assertion.encryption' in saml20-idp-hosted.php
Whether assertions sent from this IdP should be encrypted. The default value is FALSE.
Note that this option can be set for each SP in the SP-remote metadata.
Reference: http://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
Edited to add an explanation:
simpleSAMLphp uses the function encryptAssertion (modules/saml/lib/IdP/SAML2.php) to decide if encrypt or not all the assertions that it handler. This function checks the values of the 'assertion.encryption' defined on the IdP/SP metadata file (if this parameter is not defined the assertion is not encrypted
private static function encryptAssertion(SimpleSAML_Configuration $idpMetadata,
SimpleSAML_Configuration $spMetadata, SAML2_Assertion $assertion) {
$encryptAssertion = $spMetadata->getBoolean('assertion.encryption', NULL);
if ($encryptAssertion === NULL) {
$encryptAssertion = $idpMetadata->getBoolean('assertion.encryption', FALSE);
}
if (!$encryptAssertion) {
/* We are _not_ encrypting this assertion, and are therefore done. */
return $assertion;
}