.NET Fedlet Encryption and Decryption of Requests and Responses (CR 6939005)

The .NET Fedlet can encrypt outgoing XML requests and decrypt incoming responses for the NameID, Attribute, and Assertion elements.

To Configure the .NET Fedlet for Encryption and Decryption of Requests and Responses

1. Import your X.509 certificate to the Personal folder within the Local Computer account using the Certificates Snap-in for the Microsoft Management Console. To use this snap-in, see the following Microsoft article:

   http://msdn.microsoft.com/en-us/library/ms788967.aspx

2. Specify a friendly name for this certificate by viewing the Properties dialog and entering a value. (Save this value for Step 4.)

3. Set the appropriate permissions to allow read access to the certificate for the user account used by Internet Information Server (IIS) as described at the Microsoft article. For example:

   1. In the Certificates Snap-in, navigate to Action, All Tasks, and then Manage Private Keys.

   2. Specify Allow Read permissions for the user account running IIS (usually NETWORK SERVICE).

4. In the .NET Fedlet's extended metadata file (sp-extended.xml), specify the friendly name specified in Step 2 as the value for the encryptionCertAlias attribute. For example:

   <Attribute name="encryptionCertAlias">
   <Value>MyFedlet</Value>

5. In the .NET Fedlet's service provider metadata file (sp.xml), add the KeyDescriptor for the encryption key.

   Use the Certificates Snap-in for the Microsoft Management Console used earlier to export the public key of your certificate in Base64 encoding to be included in the KeyDescriptor XML block. This KeyDescriptor must be the first child element within the SPSSODescriptor. For example:

   <KeyDescriptor use="encryption">
              <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                  <ds:X509Certificate>
   MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
   bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
   ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
   BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
   AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+
   RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
   Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
   QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
   cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
   /FfwWigmrW0Y0Q==
                  </ds:X509Certificate>
                </ds:X509Data>
              </ds:KeyInfo>
              <EncryptionMethod
   Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
              <KeySize
   xmlns="http://www.w3.org/2001/04/xmlenc#">128</KeySize>
              </EncryptionMethod>
   </KeyDescriptor>

6. Restart the Application Pool associated with your .NET application.

Next Steps

To test this configuration, use the sample application. Also, set the following attributes to encrypt requests and decrypt responses with the identity provider with the appropriate changes to the configured metadata:

• Assertion: Set the wantAssertionEncrypted attribute in the sp-extended.xml metadata file to true to have the .NET Fedlet decrypt the EncryptedAssertion element in incoming responses from the identity provider.

• Attribute: Set the wantAttributeEncrypted attribute in the sp-extended.xml metadata file to true to have the .NET Fedlet decrypt the EncryptedAttribute element in incoming responses from the identity provider.

• NameID: Set the wantNameIDEncrypted attribute in the idp-extended.xml metadata file to true to have the .NET Fedlet encrypt the NameID element in outgoing requests. Set this same attribute in sp-extended.xml to have the .NET Fedlet decrypt the EncryptedID element in incoming responses from the identity provider.