Environment
NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
SAML2 Protocol enabled
NetIQ Access Manager 4.1
SAML2 Protocol enabled
Situation
NAM Identity Server acting as a SAML2 Identity Provider to a Shibboleth SAML2 Service Provider. One of the requirements for Shibboleth is that the assertion generated by NAM must be encrypted using the rsa-oaep algorithm. The NAM 4.0 documentation indicates that the XML encryption for SAML Assertions can be changed to AES128, AES256, or 3DES but does not seem to mentioned support for PKCS 2.0 (RSA-OAEP) encryption.
An example of the xenc:EncryptionMethod entries that we need to be able to generate is the following:
<xenc:EncryptedKey>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
The link at http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-1_5 describes the identifier http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p. Can we use this identifier in order to implement the RSAES-OAEP-ENCRYPT algorithm with NAM Identity Server?
An example of the xenc:EncryptionMethod entries that we need to be able to generate is the following:
<xenc:EncryptedKey>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
The link at http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-1_5 describes the identifier http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p. Can we use this identifier in order to implement the RSAES-OAEP-ENCRYPT algorithm with NAM Identity Server?
Resolution
Make sure you are running NAM 4.0.1 onwards, and that the SP metadata imported into NAM includes any of the following rsa-oaep encryption methods:
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
If the option to encrypt the NameID and/or Encrypt assertion is enabled at the Identity Server, the IDP server picks up the algorithm as mentioned in metadata.
If we use aes it uses algorithm as mentioned and uses AES as jceAlg and key wrap as http://www.w3.org/2001/04/xmlenc#rsa-1_5
If we use triple des it uses algorithm as mentioned and uses DESede as jceAlg and key wrap as http://www.w3.org/2001/04/xmlenc#rsa-1_5
If we use rsa-oaep or rsa-oaep-mgf1p , it uses the algorithm as aes and key wrap as http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p, An example catalina log entry is shown below (assuming Application component set to DEBUG in logs)
<amLogEntry> 2015-05-18T17:01:04Z DEBUG NIDS Application:
Method: XMLEncryptable.A
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
If the option to encrypt the NameID and/or Encrypt assertion is enabled at the Identity Server, the IDP server picks up the algorithm as mentioned in metadata.
If we use aes it uses algorithm as mentioned and uses AES as jceAlg and key wrap as http://www.w3.org/2001/04/xmlenc#rsa-1_5
If we use triple des it uses algorithm as mentioned and uses DESede as jceAlg and key wrap as http://www.w3.org/2001/04/xmlenc#rsa-1_5
If we use rsa-oaep or rsa-oaep-mgf1p , it uses the algorithm as aes and key wrap as http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p, An example catalina log entry is shown below (assuming Application component set to DEBUG in logs)
<amLogEntry> 2015-05-18T17:01:04Z DEBUG NIDS Application:
Method: XMLEncryptable.A
Thread: http-bio-164.99.184.24-8443-exec-9 Encryption Parameters: wrapCert: null wrapKey: Sun RSA public key, 2048 bits modulus: 22217308753071309463749282079708878219750495207039846082856678535175767310185748777231411359173851241619259689900683833689684983265546270779485093024662081293092915480468251275943496236210523839661240129450025296448962240071616334365114544487528755886766638970464736513879497635093960901070807121896591192258439885063516439417543665009754429041104175553820481477445609439446265461256224204735529231640175646470662895172035987187199292787752778110792149069371129496998877463948200372480242205765072828467005100625714856147920365652311502563696313809227094659173905171337850206891051097343167947003136117469591317128171 public exponent: 65537 symmKey: null elementToEncrypt: [saml:NameID: null] strRecipientId: https://neilc.novell.com/nidp/saml2/metadata jceAlg: AES alg: http://www.w3.org/2001/04/xmlenc#aes256-cbc keyWrapAlg: http://www.w3.org/2001/04/xmlenc#rsa-1_5 slen: 256 format: 1 bContent: false </amLogEntry>