How to specify SAML encryption certificate in ruby-saml?

Question

The ruby-saml gem supports adding certificate and private-key info to Service Provider's metadata, but as far as I can tell, that configures only signing certificate, but not encryption one. Here's what I do:

settings.certificate = "---- BEGIN CERTIFICATE----..."
settings.private_key = "-----BEGIN PRIVATE KEY----..."

which results in the following XML section added to Service Provider's metadata:

<md:KeyDescriptor use='signing'>
      <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
        <ds:X509Data>
          <ds:X509Certificate>
CERTIFICATE IS HERE GSDk3tShjl4yhShj4Hr....
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
</md:KeyDescriptor>

But how do I configure ruby-saml to add a similar section for use='encryption' in addition to use='signing'?

Answer 1

If I understood correctly, You are not able to send the SAMLResponse in the encrypted form. If that is the case, when you are building the SAML response, send one more parameter

saml_response = encode_response( :encryption => encryption_opts())

def encryption_opts: 
return {
      cert: saml_request.service_provider.cert,
      block_encryption: 'aes256-cbc',
      key_transport: 'rsa-oaep-mgf1p'
}

Answer 2

The gem's documentation shows that you can support multiple certificates by assigning a hash. e.g:

@settings.idp_cert_multi = {
  :signing => [],
  :encryption => []
}

I have not tested this.

See https://github.com/SAML-Toolkits/ruby-saml#handling-multiple-idp-certificates