Encrypting SAML assertions

Enabling encryption of SAML assertions adds another layer of security. Enable this feature in a mobile app single sign-on setup if the SP supports SAML assertion decryption. The SAML assertions are encrypted such that the assertions can be decrypted only with the private keys held by the service provider.

  • Encryption of SAML assertions is disabled by default.
  • Responses can be signed while carrying a signed encrypted Assertion, but the Response itself is not encrypted.
  • Do not use the signing certificate for encrypting SAML assertions and vice-versa.
  • The following service providers (SP) support encryption of SAML assertions:
    • Salesforce
    • Custom SAML Service Provider
    • Custom WS-Federation Service Provider
  • A default certificate for encryption is automatically available in your Ivanti Access tenant.
  • Enabling SAML assertion encryption, enables additional options for Native Mobile Application Single Sign-On (SSO). These options allow you select the data encryption algorithm and the key transport algorithm for single sign-on.

Before you begin 

See Configuring Mobile App Single Sign-on (SSO)for information about setting up single sign-on.

Procedure 

1. In the service provider configuration for Salesforce, Custom WS-Federation Service Provider or for Custom SAML Service Provider, go to Encryption Certificate.
2. Click the check box for Encrypt SAML assertion.

The default encryption certificate is automatically selected.

3. (Optional) To use a different certificate than the default certificate, do one of the following:
- select a certificate from the drop-down list.
- click Generate certificate or Add new certificate.

Adding a new certificate for SAML assertion encryption

The following provides the steps for adding a new certificate for SAML assertion encryption.

Before you begin 

Ensure that you have a PKCS 12 format file (.PFX or .P12) that contains the certificate and corresponding private key.

Procedure 

  1. In the service provider (SP) configuration, in the Encryption Certificate section, click Add new certificate.

  2. Enter the following information:

    Item

    Description

    Certificate Name

    Enter an identifying name for the encryption certificate.

    Certificate Password

    Enter the password for the encryption certificate.

    Choose File

    Click to navigate to the location of the encryption certificate or drag and drop the certificate to this location.
  3. Click Add Encryption Certificate to add the new certificate.
    The certificate is now available to select from the drop-down list.
    The certificate is also listed in Profile >Access Certificates.

Generating a certificate for SAML assertion encryption

The following provides the steps for generating a certificate for SAML assertion encryption.

Procedure 

  1. In the service provider (SP) configuration, in the Encryption Certificate section, click Generate certificate.
  2. For Certificate Name, enter a name to identify the certificate.
  3. Click Generate Encryption Certificate.
    The certificate is now available to select from the drop-down list.
    The certificate is also listed in Profile > Access Certificates.

Related topics 

Adding a new certificate for SAML assertion encryption

Generating a certificate for SAML assertion encryption