encrypted SAML token

时间:2019-04-08 14:02:07

标签: php saml onelogin

I am using the php-saml toolkit https://github.com/onelogin/php-saml to implement an SSO in a web application. The authentication in itself works but when i check with an intercepting proxy https://portswigger.net/burp/communitydownload the saml token appears in clear (as xml, with the username along with all information passed for authentication). In the connector and the setting https://github.com/onelogin/php-saml/blob/master/settings_example.php i have set the certificate (in idp/x509cert)

I am not sure if the presence of the certFingerprint makes a difference, i tried with and without and the saml token is in clear in both cases.

Is it possible to have this saml response encrypted ? it is still signed so it cannot be changed but having this data in clear is still a problem for me

1 个答案:

答案 0 :(得分:0)

您确实可以对SAML响应进行加密,并且需要由您的Onelogin管理员为您的应用程序进行设置。通过使用TLS可以减轻对响应(或断言)的加密,因为您已经在传输层进行了加密,并且我看到的大多数 应用程序都不会对响应或断言进行加密,但是如果在以下情况下可以在Onelogin中使用需要。