Download PDF
Download page Encrypt SAML Responses for On-Premises Deployments.
Encrypt SAML Responses for On-Premises Deployments
This page provides instructions on configuring encryption for Security Assertion Markup Language (SAML) responses in your on-premises.
You can improve the security of the SAML authentication by encrypting the SAML response from the IdP to the service provider (your Controller). Your Controller shares a public key with the IdP and stores a private key to decrypt the public key.
Install OpenSSL
You must install the cryptography and SSL/TLS toolkit OpenSSL to generate the private key and certificate that encrypting SAML responses requires.
Generate an x509 Certificate
Generate a private key:
openssl genrsa -out privatekey.pem 2048BASHConvert the private key into
pkcs8format:openssl pkcs8 -in privatekey.pem -topk8 -nocrypt -out privatekey.p8BASHGenerate a certificate from the private key:
openssl req -new -x509 -key privatekey.pem -out ssocert.pemBASH
Enable SAML Encryption
After you generate the private key in pkcs8 format and the x509 certificate:
- Navigate to AppDynamics > Administrator > Authentication Provider > SAML.
- Check Enable for SAML Encryption.
Add the Encrypted Certificate and the Private Key to the Controller
You must add the generated x509 certificate so that it is sharable with the IdP. You must also provide the private key so that the Controller can decrypt the SAML response from the IdP.
In the SAML Encryption Certificate text area, paste the content of your x509 certificate between the sections
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE----:-----BEGIN CERTIFICATE----- // Insert x509 certificate content here -----END CERTIFICATE----TEXTIn the SAML Encryption Key text area, paste the content of your p8 key file between the sections
-----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----:-----BEGIN PRIVATE KEY----- // Insert p8 key content here -----END PRIVATE KEY-----TEXTClick Save.
Configure IdP to Encrypt Response
Each IdP requires a different configuration for encrypting responses. Follow this high-level procedure:
From your IdP, enable SAML encryption. In some IdPs, this is known as assertion encryption.
Select an encryption algorithm. You can select any encryption method, or some IdPs choose one for you.
Upload the x509 certificate that you generated in Generate an x509 Certificate.
Verify SAML Responses Are Encrypted
If you have enabled encryption for SAML in your Controller and the SAML responses from your IdP are not encrypted, your Controller will reject the SAML authentication when using SAML authentication to log in to your Controller.
To verify that the SAML response is encrypted:
- Sign in to your Controller using the SAML flow from the service provider (your Controller) described in Verify the SAML Authentication Configuration.
From the Networks tab of the developer console of your browser, find the network request similar to the following, where
<controller_domain_name>is the domain name of the machine hosting your on-premises Controller, and<account_name>is your Splunk AppDynamics account name.http://<controller_domain_name>:8090/controller/saml-auth?accountName=<account_name>TEXTSelect this network request and locate the parameter
SAMLResponsein the response. You should see a long hash representing the encrypted SAML response:SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwOi8vZWMyLTU0LTIxMi0wLTIxNi51cy13ZXN0LTIuY29tcHV0ZS5hbWF6b25hd3MuY29tOjgwODA]gRm9yb...TEXTYou can decode and inflate the encrypted SAML response with the
base64command-line utility or an online tool:base64 --decode SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwOi8vZWMyLTU0LTIxMi0wLTIxNi51cy13ZXN0LTIuY29tcHV0ZS5hbWF6b25hd3MuY29tOjgwODA]gRm9yb...BASHIf your SAML Response was encrypted, the decoded and inflated string should contain the SAML XML response.