Encrypt SAML Responses for SaaS Deployments

This page provides instructions for configuring encryption for Security Assertion Markup Language (SAML) responses in your SaaS environment.

You can improve the security of the SAML authentication by encrypting the SAML response from the IdP to the service provider (your Controller Tenant). Your Controller Tenant shares a public key with the IdP and stores a private key to decrypt the public key. You must be an Account Owner to configure the Controller Tenant to accept encrypted SAML responses.

Attention: You must be an Account Owner to configure the Controller Tenant to accept encrypted SAML responses.

Install OpenSSL

You must install the cryptography and SSL/TLS toolkit OpenSSL to generate the private key and certificate that encrypting SAML responses requires.

Generate an x509 Certificate

  1. Generate a private key:
    openssl genrsa -out privatekey.pem 2048
  2. Convert the private key into pkcs8
    openssl pkcs8 -in privatekey.pem -topk8 -nocrypt -out privatekey.p8
  3. Generate a certificate from the private key:
    openssl req -new -x509 -key privatekey.pem -out ssocert.pem

Enable SAML Encryption

After you generate the private key in pkcs8

  1. Navigate to AppDynamics > Administrator > Authentication Provider > SAML.
  2. Check Enable for SAML Encryption.

Add the Encrypted Certificate and the Private Key to the Controller Tenant

You must add the generated x509 certificate so that it is sharable with the IdP. You must also provide the private key so that the Controller Tenant can decrypt the SAML response from the IdP.

  1. In the -----BEGIN CERTIFICATE----- -----END CERTIFICATE----:SAML Encryption Certificate text area, paste the content of your x509 certificate between the sections 
    -----BEGIN CERTIFICATE-----
// Insert x509 certificate content here
-----END CERTIFICATE----
  2. In the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----SAML Encryption Keytext area, paste the content of your p8 key file between the sections 
    -----BEGIN PRIVATE KEY-----
// Insert p8 key content here
-----END PRIVATE KEY-----
  3. Click Save.

Configure IdP to Encrypt Response

Each IdP requires a different configuration for encrypting responses. Follow this high-level procedure:

  1. From your IdP, enable SAML encryption. In some IdPs, this is known asassertion encryption.
  2. Select an encryption algorithm. You can select any encryption method, or some IdPs choose one for you.
  3. Upload the x509 certificate that you generated in Generate an x509 Certificate.

Verify SAML Responses Are Encrypted

If you have enabled encryption for SAML in your Controller Tenant and the SAML responses from your IdP are not encrypted, your Controller Tenant will reject the SAML authentication when using SAML authentication to log in to your Controller Tenant.

To verify that the SAML response is encrypted:

  1. Sign in to your Controller Tenant using the SAML flow from the service provider (your Controller Tenant) described in Verify the SAML Authentication Configuration.
  2. From the Networks tab of the developer console of your browser, find the network request similar to the following, where <controller_domain_name> <account_name>
    http://<controller_domain_name>:8090/controller/saml-auth?accountName=<account_name>
  3. Select this network request and locate the parameter SAMLResponse
    SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwOi8vZWMyLTU0LTIxMi0wLTIxNi51cy13ZXN0LTIuY29tcHV0ZS5hbWF6b25hd3MuY29tOjgwODA]gRm9yb...
  4. You can decode and inflate the encrypted SAML response with the base64If your SAML Response was encrypted, the decoded and inflated string should contain the SAML XML response.
    base64 --decode SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwOi8vZWMyLTU0LTIxMi0wLTIxNi51cy13ZXN0LTIuY29tcHV0ZS5hbWF6b25hd3MuY29tOjgwODA]gRm9yb...