locked
disable assertion encryption RRS feed

  • Question

  • My partner is requesting I disable assertion encryption. In their words, "ADFS uses separate certificates for signature and encryption but we expect one certificate for both. Our communications are all SSL encrypted. There is no reason to doubly encrypt communications, particularly with signed assertions/responses.  After you change that setting and provide a new metadata file I will create one for you to import."  

    Is this a concern?  If not, how do I disable assertion encrytion.  Everything I find online shows how to disable it after the Relying Party Trust is created.

    Thanks

    Wednesday, April 17, 2019 2:04 AM

Answers

  • "ADFS uses separate certificates for signature and encryption but we expect one certificate for both." this is a misunderstanding here, well many misunderstandings...

    1. The Token Encrypting certificate is used only when another Claim Provider Trust wants to encrypt the token to send to ADFS. If you do not have another Claim Provider Trust than AD, this certificate has no purpose.

    2. I don't see why they would expect to use the same certificate for both signature and encryption. No specs are dictating this. I guess they might have some limitation on their side. 

    3. The TLS encryption is for the transportation of the token. The token is still clear text for the end-users on the user-agent (browser). If an application wants confidentiality even of the user-agent, then token encryption is the only way to achieve it. These are two different things.

    4. Ultimately, you can disable token encryption (although it is not enabled by default for RPT anyways...)


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Thursday, April 18, 2019 9:58 PM

All replies

  • Hello, I am assuming your client meant the Rely Party Assertion encryption. If that is the case you will need to go to the Rely party configuration and remove the certifiacte but keep in mind that assertion and claims will be sent in plain text.

    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Wednesday, April 17, 2019 4:45 AM
  • Thank you Isaac,

    That is my understanding as well...that I have to create the Relying Party Trust first, and then remove the encryption.  They are telling me I have to disable assertion encryption and then resend the new federationmetedata.xml.  I don't know how, or if even possible, that I should.

    Wednesday, April 17, 2019 11:57 AM
  • "ADFS uses separate certificates for signature and encryption but we expect one certificate for both." this is a misunderstanding here, well many misunderstandings...

    1. The Token Encrypting certificate is used only when another Claim Provider Trust wants to encrypt the token to send to ADFS. If you do not have another Claim Provider Trust than AD, this certificate has no purpose.

    2. I don't see why they would expect to use the same certificate for both signature and encryption. No specs are dictating this. I guess they might have some limitation on their side. 

    3. The TLS encryption is for the transportation of the token. The token is still clear text for the end-users on the user-agent (browser). If an application wants confidentiality even of the user-agent, then token encryption is the only way to achieve it. These are two different things.

    4. Ultimately, you can disable token encryption (although it is not enabled by default for RPT anyways...)


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Thursday, April 18, 2019 9:58 PM