feat: add support for saml encrypted assertions

internal/api/saml.go

@@ -80,16 +80,14 @@ func (a *API) SAMLMetadata(w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
-	// don't advertize the encryption keys as it makes it much difficult to debug
-	// requests / responses, and does not increase security since assertions are
-	// not "private" and not necessary to be hidden from the browser
 	for i := range metadata.SPSSODescriptors {
 		spd := &metadata.SPSSODescriptors[i]
 
 		var keyDescriptors []saml.KeyDescriptor
 
 		for _, kd := range spd.KeyDescriptors {
-			if kd.Use == "signing" {
+			// only advertize key as usable for encryption if allowed
+			if kd.Use == "signing" || (a.config.SAML.AllowEncryptedAssertions && kd.Use == "encryption") {
 				keyDescriptors = append(keyDescriptors, kd)
 			}
 		}

internal/conf/saml.go

@@ -17,6 +17,7 @@ import (
 type SAMLConfiguration struct {
 	Enabled                  bool          `json:"enabled"`
 	PrivateKey               string        `json:"-" split_words:"true"`
+	AllowEncryptedAssertions bool          `json:"allow_encrypted_assertions" split_words:"true"`
 	RelayStateValidityPeriod time.Duration `json:"relay_state_validity_period" split_words:"true"`
 
 	RSAPrivateKey *rsa.PrivateKey   `json:"-"`
@@ -111,6 +112,10 @@ func (c *SAMLConfiguration) PopulateFields(externalURL string) error {
 		},
 	}
 
+	if c.AllowEncryptedAssertions {
+		certTemplate.KeyUsage = certTemplate.KeyUsage | x509.KeyUsageDataEncipherment
+	}
+
 	certDer, err := x509.CreateCertificate(nil, certTemplate, certTemplate, c.RSAPublicKey, c.RSAPrivateKey)
 	if err != nil {
 		return err