Encrypted SAML response

Collibra Data Intelligence Platform supports encrypted SAML responses. Collibra implements XMLEnc, the industry standard to encrypt SAML responses.

Encryption

SAML assertions are expected to be encrypted in XMLEnc mixed mode, which means that:

  1. The Identity Provider (IdP) generates a random symmetric key and uses it to encrypt the assertion.
  2. The symmetric key is encrypted using a public key provided by the Service Provider (SP), in this case Collibra.
  3. The encrypted symmetric key is embedded into the SAML response alongside both the public key used in its encryption and encrypted assertion.
  4. When Collibra receives the response, it decrypts the symmetric key using its own private key and then uses that symmetric key to decrypt the assertion.

Supported cryptographic algorithms

Different IdPs may use different cryptographic schemes and algorithms. As a Service Provider, Collibra has to decrypt the assertions of many IdPs, so Collibra supports the algorithms that are marked as "required" in the XMLEnc specifications.

The supported algorithms for symmetric cryptography are:

  • 3DES
  • AES-128-CBC
  • AES-256-CBC
  • AES-128-GCM
  • AES-256-GCM

The supported algorithm for asymmetric cryptography is RSA-OAEP, including MGF1 with SHA1.

Collibra recommends to integrate with an IdP that uses AES-256-GCM for symmetric encryption.