Layer7 API Management

 View Only
  • 1.  Decrypt SAML Response

    Posted Jun 25, 2020 08:34 AM
    We have a requirement where layer7 is acting as service provider and we get a SAMLresponse which is signed by IDP certificate and assertion part of SAMLresponse is encrypted using SPs digital cert, I want to understand how can I decrypt this SAML response for processing in layer7,Ii was able to validate the signature but stuck in how to decrypt this samlResponse. The NonSoap Decrypt element doesnt asks for private key. Please suggest


  • 2.  RE: Decrypt SAML Response
    Best Answer

    Broadcom Employee
    Posted Jun 25, 2020 11:03 AM
    The Build SAML Protocol Response Assertion may be what you are looking for you could use it to place a SAML token into a SAML Protocol message and allows various attributes/elements to be specified. When setting it up to you can specify a private key for the assertion.

    Earlier versions of the gateway did have an issue in which an error would occur when using the (Non-SOAP) Decrypt XML Element assertions to encrypt/decrypt an element. This was fixed in 9.4. If going this route, I would recommend upgrading to 9.4 (if not already on it). Also, the Build SAML Protocol Response Assertion has been much improved in 9.4 as well.

    Build SAML Protocol Response Assertion: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/policy-assertions/assertion-palette/xml-security-assertions/build-saml-protocol-response-assertion.html

    Issues resolved in 9.4: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/release-notes-9-4/resolved-issues.html#concept.dita_bd083e022acc2d23c48d7b72fdad6bdad15da412_ResolvedinVersion94

    ------------------------------
    Support Engineer
    Broadcom
    ------------------------------



  • 3.  RE: Decrypt SAML Response

    Posted Jun 25, 2020 11:27 AM
    can Build SAML Protocol Response Assertion be used for processing recieved SAML Response also


  • 4.  RE: Decrypt SAML Response

    Broadcom Employee
    Posted Jun 25, 2020 02:17 PM
    The assertion does not ask for a private key because it assumes there is one in the private keystore. What error are you getting? Can you post policy here?

    ------------------------------
    Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
    ------------------------------



  • 5.  RE: Decrypt SAML Response

    Posted Jun 28, 2020 12:34 AM
    I believe the assertion doesn't work if your keyinfo is also encrypted as i am seeing errors saying no keyinfo found, so I am looking for options on how to consume this in layer7 i.e an encrypted SAML with rsa-olep encrypted key.

    Regards
    Akshat