[IdP] About encryption and signature

Forge Component
(37)
Published on 4 Aug by Telmo Martins
37 votes
Published on 4 Aug by Telmo Martins

Hello there,

I have a question for IDP-module(in Forge) specification.

"Dose The IDP-module needs encryption and signature for auth-request and response?"

Our company have IDP-server in on-premises env. And My outsystems-webapp needs standards authentication on my company, so i will apply for use it. The IDP-server operator asks me to submit the SAML-settings about auth-request and auth-response.


Anyone give me some advices?


Settings :

 Is auth-request needs signature? (yes or no) -> no?

 Is auth-response needs signature? (yes or no or Certificate) -> Certificate?

 What type is signature? (RSAwithSHA1 or RSAwith256) -> RSAwith256?

 Needs signature? (Assertion or Response or both) -> Assertion?

 Is auth-request needs encryption? (yes or no) -> no?

 Is auth-response needs enctyption? (yes or no or Certificate) -> Certificate?

 what type is block-algorithm? (3DES or AES-128 or AES-256) -> ????

 what type is key-algorithm? (RSA-V15 or RSA-OAEP) -> ????

 Needs enctyption? (NameID or Assertion) -> ????


best regards


Takeshi Shimoda.

--------------------------------

P.S.

Our application is serviced in outsystems-cloud env.

Hi Takeshi,

You are using the latest version right?

Settings :

 Is auth-request needs signature? (yes or no) -> no?

Usually IdP servers doesn't require that, there are some exceptions, for those we need to set it to True.

If you are able to choose it, you can set to No.

 Is auth-response needs signature? (yes or no or Certificate) -> Certificate?

Yes, it's required. The uploaded certificate (manually or though metadata file) will be used to validate it.

 What type is signature? (RSAwithSHA1 or RSAwith256) -> RSAwith256?

Both should work fine.

 Needs signature? (Assertion or Response or both) -> Assertion?

The component supports both (in the response or assertion).

 Is auth-request needs encryption? (yes or no) -> no?

Set it to No.

 Is auth-response needs enctyption? (yes or no or Certificate) -> Certificate?

The component support it, it's up to you. For the most common cases it's not encrypted, but in some cases for extra security it's encrypted.If you set it to Yes, the certificate that you need to upload on IdP server it's the one that you can download from the component (or through SP metadata file that you can also download from the component)


 what type is block-algorithm? (3DES or AES-128 or AES-256) -> ????

AES should work fine.

 what type is key-algorithm? (RSA-V15 or RSA-OAEP) -> ????

Not sure, but should work fine with both.

 Needs enctyption? (NameID or Assertion) -> ????

The assertion can be encrypted for extra security (as explained above).

The NameID cannot be encrypted (the component does not support that feature). 


Regards.

Hi Telmo.

Thank you for your answer!! It was solved my problem. (I'm very sorry for the delay in my message to thank you)

I'm in testing link OutSystems-app to the federation-server which built by my company.

This module help us a lot.


Regards.