Public-key cryptography

In SAML-based SSO, it is common to use end-to-end encryption using PKC, Public-key cryptography.

The Public-key cryptography employs a pair of public and private keys. Having a friend's public key allows you to encrypt messages to them. Your private key is used to decrypt messages encrypted to you.

In this scheme, when JHU sends user attributes to our app, it would encrypt it using our app's public key. (We would have to let them know of our public key through the metadata file). Our app then uses its private key to decrypt the encrypted data. So, we must:

  1. create a pair of private and public keys
  2. share the public key with IdP (i.e. include it in our metadata XML file)

The generation of public/private keys is done using cryptographic algorithms. There are different algorithms and standards for this. The standard used by SAML is X.509.

My preferred way of generating the encryption keys is using a little CLI tool called OpenSSL which can be obtained and installed here: https://www.openssl.org/.