Encrypting Assertions

On Wednesday, September 12th, we will be re-enabling encrypted assertions from our Identity Provider, IdPz, to each Service Provider (SP). This is to prevent XML security vulnerability that was published early. This should not functionally affect SPs as we’ve had encrypted assertions before, but there is a small probability that it will affect some SPs.

SAML Assertions are encrypted using the SP’s certificate, sp-cert.pem, which SP admins supply to our Shib Admin when they register an Service Provider Request Form (login required). Time has passed and it’s possible that system maintenance (SP system rebuilds or service migration) has modified, replaced, or removed the SP’s sp-key/sp-cert pair. And, if that changed sp-cert.pem isn’t registered in UToronto_SAML_Metadata, the SP’s keys will not match the certificate used by IdPz. This will cause authentication to fail.

We will need to correct the problem. The SP admin can do that if the original key/cert pair can be restored on the SP’s server. Or the SP admin can supply the new sp-cert.pem to Shib Admin.

For details, visit our Encrypting Assertions web page. In includes a description of encrypted assertions as well as notes on why we are encrypting assertions (and why we weren’t). It also documents how to recognize a certificate issue and how your SP admin can work with Shib Admin to remedy a mismatched certificate.