diff --git a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx index 3ce5593d48..8b2ffa3a87 100644 --- a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx +++ b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx @@ -215,11 +215,6 @@ exports.onExecutePostLogin = async (event, api) => { }; ``` - - - - - To learn how to turn the private key and certificate files into strings that you can use in a rule, see [Work with Certificates and Keys and Strings](/docs/authenticate/protocols/saml/saml-sso-integrations/work-with-certificates-and-keys-as-strings). ### Receive signed SAML authentication requests @@ -239,16 +234,11 @@ To configure signature validation: [...], // other settings "signingCert": "-----BEGIN CERTIFICATE-----\nMIIC8jCCAdqgAwIBAgIJObB6jmhG0QIEMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNV\n[..all the other lines..]-----END CERTIFICATE-----\n" } - ``` - - - - - + ``` ### Send encrypted SAML authentication assertions -If Auth0 is the SAML identity provider, you can use [Actions](/docs/customize/actions) to encrypt the SAML assertions it sends. +If Auth0 is the SAML identity provider, you can use [Actions](/docs/customize/actions) to encrypt the SAML assertions it sends. You can also select the encryption algorithm used for assertion encryption. Auth0 recommends using `aes256-gcm` for a stronger security posture. You must obtain the certificate and the public key from the service provider. If you only got the certificate, you can derive the public key using `openssl`. Assuming that the certificate file is named `certificate.pem`, you can run: @@ -271,19 +261,26 @@ exports.onExecutePostLogin = async (event, api) => { api.samlResponse.setEncryptionCert(encryptionCert); api.samlResponse.setEncryptionPublicKey(encryptionPublicKey); + api.samlResponse.setEncryptionAlgorithm("aes256-gcm"); } }; ``` +Auth0 supports the following algorithms for assertion encryption: +* [`aes256-gcm`](http://www.w3.org/2001/04/xmlenc#aes256-gcm) **(recommended)**: Authenticated encryption that provides both confidentiality and integrity. It is resistant to format validity oracle attacks. +* [`aes256-cbc`](http://www.w3.org/2001/04/xmlenc#aes256-cbc) (default): It does not provide integrity guarantees. When an Action does not use the object [`api.samlResponse.setEncryptionAlgorithm`](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/post-login-api-object#api-samlresponse-setencryptioncert-encryptioncert) to set the encryption algorithm, Auth0 defaults to the `aes256-cbc` algorithm and logs a deprecation warning in your tenant logs. +* [`rsa-oaep`](http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p), including MGF1 and SHA1 used for key transport. + +Auth0 intends to update the default encryption algorithm to `aes256-gcm`. +For consistent behavior after the default algorithm changes, we recommend switching to `aes256-gcm`: +1. Verify that your SAML service provider supports `aes256-gcm`, and contact them for support if they do not. +2. Set the encryption algorithm in your Action code with `api.samlResponse.setEncryptionAlgorithm("aes256-gcm");`. + -The following algorithms are used: - -* [AES256](http://www.w3.org/2001/04/xmlenc#aes256-cbc) for assertion encryption -* [RSA-OAEP](http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p) (including MGF1 and SHA1) for key transport ## Learn more