EncryptedAttributes are not supported

[HichamDz38]

i am communication with an IDP that has a policy to encrypt the attributes,
they cannot change the policy and i have to deal with encrypted Attributes,
what is the solution to parse Encrypted Attributes, and why it's not supported by the SAML-Toolkits?

[pitbulk]

HI @HichamDz38,

the toolkit supports encrypted attributes.

In order to be able to receive encrypted attributes, you need to:

1. Set SP private key (privateKey) and public cert (x509cert), and at the security settings, mark
   "wantAssertionsEncrypted": true,
2. After that, SP Metadata XML will contain info for the IdP exposing the public cert as the one to use during the encrypt process at the IdP.

When your integration receive the SAMLResponse with EncryptedAttribute, will be able to decrypt it with the SP private key, you don't need to do something special, the attributes gonna be available using the method get_attributes()

[HichamDz38]

HI @pitbulk, thank you for your response
well as i said the Attributes are encrypted not the whole assertion,
i said Encrypted Attributes are not supported, because that what is written in the get_attributes method,
my question is about why that isn't supported, it's for future enhancement or what?
greetings

[pitbulk]

The saml2int spec indicates the following:

XML Encryption
[SDP-SP10]
SPs MUST support decryption of saml:EncryptedAssertion elements. Support for other encrypted constructs is OPTIONAL.

https://kantarainitiative.github.io/SAMLprofiles/saml2int.html

What IdP are you using that Encrypt Attributes but is not able to encrypt the Assertion?

[HichamDz38]

ADFS

[pitbulk]

I believe ADFS supports EncryptedAssertions

[HichamDz38]

hi @pitbulk you are right,
after further investigation it was another issue,the Encrypted Assertion is supported
i just confused by the comment in the code, said that Encrypted Attribute is not supported
thank you for your support