Add the possibility to continue if no encryption cert is available (#2208)

tvdijen · web-flow · commit f99217b43d72 · 2024-08-23T10:30:27.000+02:00
* Add the possibility to continue unencrypted if no encryption cert is available

* Fix review comments
diff --git a/docs/simplesamlphp-reference-idp-hosted.md b/docs/simplesamlphp-reference-idp-hosted.md
@@ -142,10 +142,13 @@ The following SAML 2.0 options are available:
 
 `assertion.encryption`
 :   Whether assertions sent from this IdP should be encrypted. The default
-    value is `FALSE`.
+    value is `FALSE`. When set to `TRUE` encryption will be enforced for all
+    remote SP's and an exception is thrown if encryption fails.
 
 :   Note that this option can be set for each SP in the SP-remote metadata.
 
+:   Note that enforcement can be disabled by setting `encryption.optional` to `TRUE`.
+
 `attributeencodings`
 :   What encoding should be used for the different attributes. This is
     an array which maps attribute names to attribute encodings. There
@@ -190,6 +193,10 @@ The following SAML 2.0 options are available:
     any value in the SP-remote metadata overrides the one configured
     in the IdP metadata.
 
+`encryption.optional`
+:   Whether or not we may continue to send an unencrypted assertion if the SP has no encryption certificate.
+    The default value is `FALSE`.
+
 `encryption.blacklisted-algorithms`
 :   Blacklisted encryption algorithms. This is an array containing the algorithm identifiers.
 
diff --git a/modules/saml/src/IdP/SAML2.php b/modules/saml/src/IdP/SAML2.php
@@ -1414,7 +1414,7 @@ private static function encryptAssertion(
         Configuration $idpMetadata,
         Configuration $spMetadata,
         Assertion $assertion,
-    ) {
+    ): Assertion|EncryptedAssertion {
         $encryptAssertion = $spMetadata->getOptionalBoolean('assertion.encryption', null);
         if ($encryptAssertion === null) {
             $encryptAssertion = $idpMetadata->getOptionalBoolean('assertion.encryption', false);
@@ -1452,6 +1452,8 @@ private static function encryptAssertion(
                 // extract the public key from the certificate for encryption
                 $key = new XMLSecurityKey(XMLSecurityKey::RSA_OAEP_MGF1P, ['type' => 'public']);
                 $key->loadKey($pemKey);
+            } elseif ($idpMetadata->getOptionalBoolean('encryption.optional', false) === true) {
+                return $assertion;
             } else {
                 throw new Error\ConfigurationError(
                     'Missing encryption key for entity `' . $spMetadata->getString('entityid') . '`',
