Howto change encryption algorithm in SAML assertions to support supports PKCS 2.0 (RSA-OAEP

  • 7017339
  • 09-Mar-2016
  • 09-Mar-2016


NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
SAML2 Protocol enabled


NAM Identity Server acting as a SAML2 Identity Provider to a Shibboleth SAML2 Service Provider. One of the requirements for Shibboleth is that the assertion generated by NAM must be encrypted using the rsa-oaep algorithm. The NAM 4.0 documentation indicates that the XML encryption for SAML Assertions can be changed to AES128, AES256, or 3DES but does not seem to mentioned support for PKCS 2.0 (RSA-OAEP) encryption.

An example of the xenc:EncryptionMethod entries that we need to be able to generate is the following:

 <xenc:EncryptionMethod Algorithm="" />

The link at  describes the identifier Can we use this identifier in order to implement the RSAES-OAEP-ENCRYPT algorithm with NAM Identity Server?


Make sure you are running NAM 4.0.1 onwards, and that the SP metadata imported into NAM includes any of the following rsa-oaep encryption methods:

<md:EncryptionMethod Algorithm=""/>
<md:EncryptionMethod Algorithm=""/>

If the option to encrypt the NameID and/or Encrypt assertion is enabled at the Identity Server, the IDP server picks up the algorithm as mentioned in metadata.

If we use aes it uses algorithm as mentioned and uses AES as jceAlg and key wrap as
If we use triple des it uses algorithm as mentioned and uses DESede as jceAlg and key wrap as
If we use rsa-oaep or rsa-oaep-mgf1p , it uses the algorithm as aes and key wrap as, An example catalina log entry is shown below (assuming Application component set to DEBUG in logs)

<amLogEntry> 2015-05-18T17:01:04Z DEBUG NIDS Application:
Method: XMLEncryptable.A
Thread: http-bio-
Encryption Parameters:
   wrapCert: null
   wrapKey: Sun RSA public key, 2048 bits
  modulus: 22217308753071309463749282079708878219750495207039846082856678535175767310185748777231411359173851241619259689900683833689684983265546270779485093024662081293092915480468251275943496236210523839661240129450025296448962240071616334365114544487528755886766638970464736513879497635093960901070807121896591192258439885063516439417543665009754429041104175553820481477445609439446265461256224204735529231640175646470662895172035987187199292787752778110792149069371129496998877463948200372480242205765072828467005100625714856147920365652311502563696313809227094659173905171337850206891051097343167947003136117469591317128171
  public exponent: 65537
   symmKey: null
   elementToEncrypt: [saml:NameID: null]
   jceAlg: AES
   slen: 256
   format: 1
   bContent: false