Norway SAML Detailed Analysis - RUB-NDS/FutureTrust GitHub Wiki

AuthnRequest messages must be signed. SAML response messages must include signed and encrypted SAML Assertions. SAML metadata can be unsigned.

Message contents are encrypted and signed according to the XML Signature and XML Encryption specifications. In addition, the following security goals have to be achieved:

• The data should be encrypted with AES-128 or more secure algorithms.
• SHA1 with RSA should be used for signing. The RSA key should have at least 1024 bit length.^[1]

1. ^ SHA1 is considered to be insecure (see http://shattered.io/). 1024 bit RSA keys are considered to be weak as well (BSI TR-02102-1, 2017).