locked
Relying party wants me to disable assertion encryption RRS feed

  • Question

  • I'm running ADFS on Server 2016.  I have several successful Relying Trusts configured.  I have a new one that want me to disable assertion encryption.  They sent me their metadata and I created the Trust. I then clicked the Encryption tab, clicked Remove to remove the certificate for encryption.  They pulled my federationmetadata from https://mydomain.com/FederationMetadata/2007-06/FederationMetadata.xml and say that encryption is still set to true.  Below is the pic they sent me.  I don't know what else I can do on my end.


    • Edited by strensnick Wednesday, May 15, 2019 12:07 PM grammer check
    Wednesday, May 15, 2019 12:05 PM

Answers

  • LOL, if only I had a dollar for every time a Service Provider has an Encryption certificate in their Federation Metadata XML and they tell you not to encrypt the assertions in the SAML Token with it :-)

    Why do they put in in their FM XML to begin with then?

    Oh well, instead of removing the Encryption certificate always use the following PowerShell cmdlet.

    That way if you need to turn on encryption later on you have the correct certificate in place already.

    Set-AdfsRelyingPartyTrust -TargetName "Name-of-RPT" -EncryptClaims $false

    Next, do like nzpcmad1 says and use Fiddler to capture the SAML Token and send it to the SP as proof that you are not encrypting the assertions.

    By the way, which SP is this?

    Thursday, May 16, 2019 6:40 PM

All replies

  • The metadata does not describe the RP so has no effect on the change you made.

    When you do a network trace, is the SAML token encrypted?

    Wednesday, May 15, 2019 6:41 PM
  • LOL, if only I had a dollar for every time a Service Provider has an Encryption certificate in their Federation Metadata XML and they tell you not to encrypt the assertions in the SAML Token with it :-)

    Why do they put in in their FM XML to begin with then?

    Oh well, instead of removing the Encryption certificate always use the following PowerShell cmdlet.

    That way if you need to turn on encryption later on you have the correct certificate in place already.

    Set-AdfsRelyingPartyTrust -TargetName "Name-of-RPT" -EncryptClaims $false

    Next, do like nzpcmad1 says and use Fiddler to capture the SAML Token and send it to the SP as proof that you are not encrypting the assertions.

    By the way, which SP is this?

    Thursday, May 16, 2019 6:40 PM