Skip to content

Impossible to roll the keys when IDP encrypts assertions #2571

New issue
New issue
Open
Open
Impossible to roll the keys when IDP encrypts assertions#2571
@RoSk0

Description

@RoSk0
RoSk0
opened on Dec 1, 2025

Specifics of your environment

  1. Are you acting as SP/IdP/proxy? - IDP
  2. SimpleSAMLphp: What version are you using? - latest, 2.4.3
  3. PHP: What version are you using? - N/A
  4. Platform: unix or Windows? - N/A
  5. Webserver: Apache/Nginx/ISS? - N/A

Describe the bug
If the IDP is configured to encrypt assertions ('assertion.encryption' => true in the saml20-idp-hosted.php) key rollover is impossible, because as soon as you add new_privatekey and new_certificate assertions are encrypted using the new key. This is also confirmed by the generated metadata.

idp-metadata.xml
idp-metadata-new.xml

To Reproduce
Steps to reproduce the behavior:

  1. Install the latest version and configure it as IDP with 'assertion.encryption' => true in the saml20-idp-hosted.php
  2. install a second copy of the latest version and configure it as an SP for the previous IDP using it's metadata
  3. Test SSO works
  4. Add new_privatekey and new_certificate to the saml20-idp-hosted.php
  5. Attempt to log in into SP and observe
Backtrace:
2 src/SimpleSAML/Error/ExceptionHandler.php:36 (SimpleSAML\Error\ExceptionHandler::customExceptionHandler)
1 /app/vendor/symfony/error-handler/ErrorHandler.php:538 (Symfony\Component\ErrorHandler\ErrorHandler::handleException)
0 [builtin] (N/A)
Caused by: Exception: Failed to decrypt XML element.
Backtrace:
10 /app/vendor/simplesamlphp/saml2-legacy/src/SAML2/Utils.php:539 (SAML2\Utils::decryptElement)
9 /app/vendor/simplesamlphp/saml2-legacy/src/SAML2/EncryptedAssertion.php:122 (SAML2\EncryptedAssertion::getAssertion)
8 modules/saml/src/Message.php:380 (SimpleSAML\Module\saml\Message::decryptAssertion)
7 modules/saml/src/Message.php:643 (SimpleSAML\Module\saml\Message::processAssertion)
6 modules/saml/src/Message.php:613 (SimpleSAML\Module\saml\Message::processResponse)
5 modules/saml/src/Controller/ServiceProvider.php:385 (SimpleSAML\Module\saml\Controller\ServiceProvider::assertionConsumerService)
4 /app/vendor/symfony/http-kernel/HttpKernel.php:181 (Symfony\Component\HttpKernel\HttpKernel::handleRaw)
3 /app/vendor/symfony/http-kernel/HttpKernel.php:76 (Symfony\Component\HttpKernel\HttpKernel::handle)
2 /app/vendor/symfony/http-kernel/Kernel.php:197 (Symfony\Component\HttpKernel\Kernel::handle)
1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process)
0 public/module.php:17 (N/A)

Expected behavior
authentication succeeds

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions