Encrypt SAML Responses for On-Premises Deployments

This page provides instructions on configuring encryption for Security Assertion Markup Language (SAML) responses in your on-premises.

You can improve the security of the SAML authentication by encrypting the SAML response from the IdP to the service provider (your Controller). Your Controller shares a public key with the IdP and stores a private key to decrypt the public key.

Attention: You must be an Account Owner to configure the Controller to accept encrypted SAML responses.

Install OpenSSL

You must install the cryptography and SSL/TLS toolkit OpenSSL to generate the private key and certificate that encrypting SAML responses requires.

Generate an x509 Certificate

  1. Generate a private key:
    o penssl genrsa -out privatekey.pem 2048
  2. Convert the private key into pkcs8
    openssl pkcs8 -in privatekey.pem -topk8 -nocrypt -out privatekey.p8
  3. Generate a certificate from the private key:
    openssl req -new -x509 -key privatekey.pem -out ssocert.pem

Enable SAML Encryption

After you generate the private key in pkcs8 format and the x509 certificate:

  1. Navigate to AppDynamics > Administrator > Authentication Provider > SAML.
  2. Check Enable for SAML Encryption.

Add the Encrypted Certificate and the Private Key to the Controller

You must add the generated x509 certificate so that it is sharable with the IdP. You must also provide the private key so that the Controller can decrypt the SAML response from the IdP.

  1. In the -----BEGIN CERTIFICATE----- -----END CERTIFICATE----:SAML Encryption Certificatetext area, paste the content of your x509 certificate between the sections
    -----BEGIN CERTIFICATE-----
// Insert x509 certificate content here
-----END CERTIFICATE----
  2. In the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----SAML Encryption Keytext area, paste the content of your p8 key file between the sections 
    -----BEGIN PRIVATE KEY-----
// Insert p8 key content here
-----END PRIVATE KEY-----
  3. Click Save.

Configure IdP to Encrypt Response

Each IdP requires a different configuration for encrypting responses. Follow this high-level procedure:

  1. From your IdP, enable SAML encryption. In some IdPs, this is known asassertion encryption.
  2. Select an encryption algorithm. You can select any encryption method, or some IdPs choose one for you.
  3. Upload the x509 certificate that you generated in Generate an x509 Certificate.

Verify SAML Responses Are Encrypted

If you have enabled encryption for SAML in your Controller and the SAML responses from your IdP are not encrypted, your Controller will reject the SAML authentication when using SAML authentication to log in to your Controller.

To verify that the SAML response is encrypted:

  1. Sign in to your Controller using the SAML flow from the service provider (your Controller) described in Verify the SAML Authentication Configuration.
  2. From the Networks tab of the developer console of your browser, find the network request similar to the following, where <controller_domain_name> <account_name>
    http://<controller_domain_name>:8090/controller/saml-auth?accountName=<account_name>
  3. Select this network request and locate the parameter SAMLResponse
    SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwOi8vZWMyLTU0LTIxMi0wLTIxNi51cy13ZXN0LTIuY29tcHV0ZS5hbWF6b25hd3MuY29tOjgwODA]gRm9yb...
  4. You can decode and inflate the encrypted SAML response with the base64If your SAML Response was encrypted, the decoded and inflated string should contain the SAML XML response.
    base64 --decode SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwOi8vZWMyLTU0LTIxMi0wLTIxNi51cy13ZXN0LTIuY29tcHV0ZS5hbWF6b25hd3MuY29tOjgwODA]gRm9yb...