Federation - Protection of Assertion Confidentiality via Assertion Encryption, v1.0

Identity Providers must encrypt assertions using approved cryptography.

Assessment Step

Assertion Encryption (AssertionEncryption)
Does the IdP correctly encrypt assertions using approved cryptography? This can be public key or symmetric key encryption.
Provide evidence (e.g. policies, operational samples) that the IdP correctly encrypts assertions.

Conformance Criteria (1)

  • When encrypting assertions, the IdP SHALL encrypt the contents of the assertion using either the RP's public key or a shared symmetric key.
  • Shared symmetric keys used for this purpose by the IdP SHALL be independent for each RP to which they send assertions, and are normally established during registration of the RP.
  • All encryption of assertions SHALL use approved cryptography.
NIST SP 800-63C
Section 6.2.3