diff --git a/internal/api/saml.go b/internal/api/saml.go index def4e3912..f32d4436d 100644 --- a/internal/api/saml.go +++ b/internal/api/saml.go @@ -80,16 +80,14 @@ func (a *API) SAMLMetadata(w http.ResponseWriter, r *http.Request) error { } } - // don't advertize the encryption keys as it makes it much difficult to debug - // requests / responses, and does not increase security since assertions are - // not "private" and not necessary to be hidden from the browser for i := range metadata.SPSSODescriptors { spd := &metadata.SPSSODescriptors[i] var keyDescriptors []saml.KeyDescriptor for _, kd := range spd.KeyDescriptors { - if kd.Use == "signing" { + // only advertize key as usable for encryption if allowed + if kd.Use == "signing" || (a.config.SAML.AllowEncryptedAssertions && kd.Use == "encryption") { keyDescriptors = append(keyDescriptors, kd) } } diff --git a/internal/conf/saml.go b/internal/conf/saml.go index 246868ed6..66a820caf 100644 --- a/internal/conf/saml.go +++ b/internal/conf/saml.go @@ -17,6 +17,7 @@ import ( type SAMLConfiguration struct { Enabled bool `json:"enabled"` PrivateKey string `json:"-" split_words:"true"` + AllowEncryptedAssertions bool `json:"allow_encrypted_assertions" split_words:"true"` RelayStateValidityPeriod time.Duration `json:"relay_state_validity_period" split_words:"true"` RSAPrivateKey *rsa.PrivateKey `json:"-"` @@ -111,6 +112,10 @@ func (c *SAMLConfiguration) PopulateFields(externalURL string) error { }, } + if c.AllowEncryptedAssertions { + certTemplate.KeyUsage = certTemplate.KeyUsage | x509.KeyUsageDataEncipherment + } + certDer, err := x509.CreateCertificate(nil, certTemplate, certTemplate, c.RSAPublicKey, c.RSAPrivateKey) if err != nil { return err