Michael Böhm created GUACAMOLE-1372: ---------------------------------------
Summary: SAML module should be able to encrypt and sign requests Key: GUACAMOLE-1372 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1372 Project: Guacamole Issue Type: Improvement Components: guacamole-auth-saml Affects Versions: 1.3.0 Reporter: Michael Böhm Some IDPs and company's guidelines require SAML auth requests for a service provider to be signed and optionally encrypted. Guacamole's SAML module should be able to fetch a X509 certificate and private key from a config parameter and use this data to sign and encrypt requests. SP Metadata dummy: {{<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://PointOfContactServer/sps/DummySP/saml20">}} {{<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">}} {{<md:KeyDescriptor use="signing">}} {{<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">}} {{<X509Data>}} {{<X509Certificate>... here goes Guacamole's certificate ...</X509Certificate>}} {{</X509Data>}} {{</KeyInfo>}} {{</md:KeyDescriptor>}} {{<md:KeyDescriptor use="encryption">}} {{<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">}} {{<X509Data>}} {{<X509Certificate>... here goes Guacamole's certificate ...</X509Certificate>}} {{</X509Data>}} {{</KeyInfo>}} {{<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>}} {{</md:KeyDescriptor>}} {{<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>}} {{<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://PointOfContactServer/sps/DummySP/saml20/login" index="0" isDefault="true"/>}} {{</md:SPSSODescriptor>}} {{</md:EntityDescriptor>}} Furthermore, IDP initiated SAML should be supported (or documented if it already works). -- This message was sent by Atlassian Jira (v8.3.4#803005)