Cannot Encrypt SAML Assertions with 3DES

  • 7004694
  • 20-Oct-2009
  • 26-Apr-2012


Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server


Novell Identity Server setup to use SAML2 to exchange authentication and attributes with a partner. The partnerrequires 3DES encryption of the SAML assertion. While the Access Manager documentation talks aboutenabling Encryption for assertions, there is no guidance on what protocols or ciphers are available e.g. how you would configure 3DES, specify the key, tune parameters such as cipher block check or CRC, etc.

The standard encryption method used by Access Manager is SSL / XML-encryption (using the AES-128 block cipher) , which is enabled when assertion encryption is enabled. Since the SAML partner has no flexibility on using anything but 3DES, there is no way of integrating the two SAML services.


The Access Manager 3.1 Support Pack 1 build has this limitation. However, it will be fixed with Support Pack 2, when it is released. There will be an option on the Identity server web.xml file where administrators will be able to configure the cipher strength/key size using the following syntax:


The parameter value can be either TDES, AES128 or AES256. As mentioned above, AES128 is the default, so no changes are required to the file is this cipher can be used.