Specifying XML encryption policy (for SAML 2.0)

For SAML 2.0 configurations, in addition to using signed assertions to ensure authenticity, you and your partner can also agree to encrypt all or part of an assertion to improve privacy.

About this task

You can configure these settings on the Encryption Policy tab.

For WS-Fed connections with SAML 2.0 assertions, you cannot encrypt the entire assertion.

Option	Name identifier (SAML_SUBJECT)	Other attributes	Encrypt the SAML_SUBJECT in SLO messages to the IdP	Allow encrypted SAML_SUBJECT in SLO messages from the IdP
None	No encryption.	No encryption.	No encryption.	No encryption.
The entire assertion	Encryption allowed.	Encryption allowed.	Encryption allowed as an available option.	Encryption allowed as an available option.
SAML_SUBJECT (Name Identifier)	Encryption allowed.	Encryption allowed as an available option.	Encryption allowed as an available option.	Encryption allowed as an available option.
One or more attributes	Encryption allowed.	Encryption allowed as an available option.	Encryption allowed as an available option only if you select to allow the entire assertion or the SAML_SUBJECT to be encrypted.	Encryption allowed as an available option only if you select to allow the entire assertion or the SAML_SUBJECT to be encrypted.

Option

Name identifier (SAML_SUBJECT)

Other attributes

Encrypt the SAML_SUBJECT in SLO messages to the IdP

Allow encrypted SAML_SUBJECT in SLO messages from the IdP

None

No encryption.

The entire assertion

Encryption allowed.

Encryption allowed as an available option.

SAML_SUBJECT (Name Identifier)

Encryption allowed.

Encryption allowed as an available option.

One or more attributes

Encryption allowed.

Encryption allowed as an available option.

Encryption allowed as an available option only if you select to allow the entire assertion or the SAML_SUBJECT to be encrypted.

To disable the decryption of EncryptedID elements when enclosed in a SAML attribute, set the DecryptEncryptedIdInAttribute property to false in the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.saml20.profiles.sp.HandleAuthnResponse.xml file.

To enable encryption:

Steps

Click the Allow encrypted SAML Assertions and SLO messages option.
Choose whether this identity provider (IdP) partner will encrypt the entire assertion, the SAML_SUBJECT name identifier, one or more other attributes, or some combination.
If your partner is encrypting the name identifier, indicate whether you will encrypt this attribute in outbound SAML 2.0 single logout (SLO) messages, allow its encryption for inbound messages, or both.

Result

If you are editing an existing connection, you can reconfigure the XML encryption policy, which might require additional configuration changes in subsequent tasks.

PingFederate Server

Specifying XML encryption policy (for SAML 2.0)

About this task

Steps

Result