Hi guys
I am currently setting up the trust between our Netweaver Java system and ADFS 2.0 in our production environment. In our test setup everything works fine, but in production I get the following error:
SAML2Assertion received could not be decrypted.
[EXCEPTION]
com.sap.security.saml2.lib.common.SAML2Exception: Failed to decrypt the element: <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://www.w3.org/2001/04/xmlenc#">
<ns3:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element">
<ns3:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<ns2:KeyInfo>
<ns3:EncryptedKey>
<ns3:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
</ns3:EncryptionMethod>
<ns2:KeyInfo>
I have compared the configurations in test and in production and they are very similar. The only difference seems to be the certificates used on the ADFS side. On the Netweaver side they show up with a yellow triangle in the SAML2 key storage view.
Our installation of ADFS 2.0 is already connected to Office 365 and for that reason there were some specific requirement for the encryption algorithms used in the token encrypting certificate and the signing certificate. So I will probably not be able to change the certificates being used on the ADFS side.
Assuming that the problem is that my cryptolib on the Netweaver side does not support 256 bit encryption algorithms, is there a version of the cryptolib that does?
Best regards,
Anders