Add support for HSM

[jzheaux]

Many applications will not deal with keys at all but will instead send data to a service like Vault to be encrypted, decrypted, signed, and verified.

Currently, an application needs to implement their own Saml2AuthenticationRequestFactory and AuthenticationProvider to achieve this. It would be nice if applications could implement something more targeted to cryptographic operations.

• Decrypting Assertions - Add HSM Support for Decrypting Assertions #9044
• Signing AuthnRequests - Add HSM Support for Signing AuthnRequests #9045

[ryan13mt]

+1

This would be very useful to have supported due to security requirements on where the private keys are stored.

[Koshux]

+1
Would appreciate this due to a particular use case!

[jnunqui]

+1
would be very useful

[cvenkatreddy]

would be very useful enhancement

+1
This would be useful for us

[nafidhaque]

+1
Would be useful to a particular use case

[briannmic]

I need this for my project

[duncanportelli]

@jzheaux,

Thanks for opening this issue. I am currently working on an IDP-initiated solution and can confirm that a custom AuthenticationProvider must be implemented from scratch in order to achieve this.

The problem is that the OpenSamlAuthenticationProvider is a final class and cannot be extended. If at least, this was not final, this would have been so much easier as only the decrypt(Saml2AuthenticationToken token, EncryptedAssertion assertion) would need to be overridden in order to provide a custom Decrypter

[ryan13mt]

Hi @jzheaux by any chance was there any progress on this or at least a plan to include it in an upcoming release?

[jzheaux]

Hi, @ryan13mt, there is no plan or progress on this issue.

One thing that might help, though, is to begin with a sample.

@duncanportelli, is your implementation something that you can share via GitHub? This could at least get the conversation started about what is the appropriate thing to expose to simplify this. While introducing an inheritance-based solution is a possibility, I wonder if there is a sensible composition-based one.

[duncanportelli]

Hi @jzheaux,

Sure. I uploaded a sample spring boot application in which you can see the number of overridden classes in order to create a custom decrypter to include the decryption logic (in this case via the Azure Key Vault).