I am working on Single Sign On project. The identity provider is sending the SAMLResponse form variable BASE64 Encoded and I am able to verify the digital signature sent in the SAMLResponse Assertion XML document. So far so good.
Now the issue is that, some part of the Assertion XML document is encrypted(see below) and they are sending the employee id in this encrypted element like this,
I have modified the actual values in some elements.
<saml:EncryptedAttribute>
<xenc:EncryptedData Id="_67767" Type="http://www.w3.org/2001/04/xmlenc#Element"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>;
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">;
<ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"...; URI="#_23232"/>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;
<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;something
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<xenc:EncryptedKey Id="_idhere" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>;
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;
<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;cipher value here
</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#_uri here"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
</saml:EncryptedAttribute>xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>;<xenc:CipherData" target="_blank">http://www.w3.org/2001/04/xmlenc#"/>;<xe... xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;certificate sent here</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#_uri here"/></xenc:ReferenceList></xenc:EncryptedKey>
</saml:EncryptedAttribute>
I have been asked to get employee id from this encrypted xml text. What happens is that once you decrypt, you get an xml structure and you can easily find employee_id by parsing.
Do you know how information in this encrypted XML can be decrypted? If you can suggest an algorithm or java method, then that will be great also. Once I have the decrypted xml part, then its easy to parse the xml to extract the employee_id.
FYI, the clients certificate is with me and I have imported it into the keystore using java keytool. I am using this certificate to verifiy the digital signature in the assertion XML document.
Also, I am using a java program to verify the digital signature. If you want, I can email that.
Thanks,