Secure Attribute Exchange (also referred to as Virtual Federation) allows one application to communicate identity data to a second application in a different domain. This chapter contains information on how to encrypt the data using the com.sun.identity.sae.api package, including:
When data encryption is used, attributes pushed from the identity provider application to its local instance of OpenSSO are encrypted as well as attributes sent from the local instance of OpenSSO on the service provider side to the service provider application. Both symmetric and asymmetric data encryption is supported in a Secure Attribute Exchange.
For symmetric encryption, the encryption key is the same shared secret used to sign the data. For asymmetric encryption, the sender will encrypt the encryption key using the receiving party's public key. Upon receipt of the encrypted data, the receiving party will decrypt the encryption key using its private key, and then decrypt the data using the encryption key.
Before getting into the application coding and configuration of OpenSSO for Secure Attribute Exchange encryption, the administrator must decide:
The encryption algorithm (for example, AES or DES)
The key strength (key size)
The security mechanism (symmetric or asymmetric)
If using asymmetric encryption, make sure the identity provider's public key is accessible (for example, in a keystore or through a URL) to the application on the identity provider side. Additionally, add the public key of the application on the service provider side to the service provider's keystore.
Initialize an instance of com.sun.identity.sae.api.SecureAttrs using the:
SecureAttrs.init(String instance-name, String type, Properties properties) method.
Be sure to add values for SAE_CONFIG_DATA_ENCRYPTION_ALG and SAE_CONFIG_ENCRYPTION_KEY_STRENGTH to Properties.
To encrypt the data, call the:
saInstance.getEncodedString(Map attrs, String secret, String encSecret) method. If encSecret is null, the data is not encrypted. This is the same as calling:
saInstance.getEncodedString(Map attrs, String secret)
To decrypt the data, call the:
saInstance.verifyEncodedString(String str, String secret, String encSecret) method. If encSecret is null (or the data is not encrypted), decryption is not done. This would be equal to calling the saInstance.verifyEncodedString(String str, String secret) method.
See the OpenSSO Java API Reference for specifics on the parameters. This Javadoc can be found in the docs directory of the exploded opensso.war. Sample code can be found in the saeIDPApp.jsp and saeSPApp.jsp files included with the Secure Attribute Exchange sample. Be sure to include the SAE class files in your web application; they are included in Client SDK jars.
Login to the OpenSSO console as the administrator.
Click the Federation tab.
Select the name of the appropriate hosted identity provider.
Click the Advanced tab.
Add one entry for each identity provider application as a value of the Application Security Configuration attribute. Each application should have one entry using the one of following formats:
url=IDPAppURL|type=symmetric|secret=encoded-shared-secret|encryptionalgorithm=encryption-algorithm|encryptionkeystrength=encryption-strength
Sample Symmetric Entry
url=http://www.idpapp.com:8080/idpapp/samples/saml2/sae/saeIDPApp.jsp| type=symmetric|secret=AQICNeg4ahYuOLmXG5w5yUgvmCUP0rr1HFGf| encryptionalgorithm=DES|encryptionkeystrength=56 |
url=IDPAppURL|type=asymmetric|pubkeyalias=IDPApp-signing-certificate|encryptionalgorithm=encryption-algorithm|encryptionkeystrength=encryption-strength
Sample Asymmetric Entry
url=http://www.idpapp.com:8080/idpapp/samples/saml2/sae/saeIDPApp.jsp| type=asymmetric|pubkeyalias=idpapp-cert|encryptionalgorithm=DES| encryptionkeystrength=56 |
Save the configuration.
Log out of the console.
Login to the OpenSSO console as the administrator.
Click the Federation tab.
Select the name of the appropriate hosted service provider.
Click the Advanced tab.
Add one entry for each service provider application as a value of the Application Security Configuration attribute. Each application should have one entry using the one of following formats:
url=SPAppURL|type=symmetric|secret=encoded-shared-secret| encryptionalgorithm=encryption-algorithm| encryptionkeystrength=encryption-strength
Sample Symmetric Entry
url=http://www.spapp.com:8080/spapp/samples/saml2/sae/saeSPApp.jsp| type=symmetric|secret=AQICNeg4ahYuOLmXG5w5yUgvmCUP0rr1HFGf| encryptionalgorithm=DES|encryptionkeystrength=56 |
url=SPAppURL|type=asymmetric|privatekeyalias= SP-signing-certificate-alias|encryptionalgorithm=encryption-algorithm| encryptionkeystrength=encryption-strength| pubkeyalias=SPApp-public-key-alias
The privatekeyalias attribute may be omitted if the signing-certificate-alias is already configured in the service provider metadata.
Sample Asymmetric Entry
url=http://www.spapp.com:8080/spapp/samples/saml2/sae/saeSPApp.jsp| type=asymmetric|privatekeyalias=test|encryptionalgorithm=DES| encryptionkeystrength=56|pubkeyalias=spapp-cert |
Save the configuration.
Log out of the console.
Use the SAE sample included with OpenSSO to test the configuration. You can find it in the samples/saml2/sae directory of the opensso.war or in the saml2/sae directory of the opensso-client-jdk14.war or the opensso-client-jdk15.war.