How to enable encryption of the assertion body using API
All VIP AuthHub
The below steps can be used to enable SAML assertion encryption or a specific SAML Application in AuthHub
1) Identify the app Id you are using for federation GET https://{{sspHost}}/{{apiPathTenant}}/admin/v1/Apps
2) Import the public cert provided by the SP (using the https://{{sspHost}}/{{apiPathTenant}}/admin/v1/Certs) so you can use it to encrypt the SAML Response
3) update the SAML Application using PUT https://{{sspHost}}/{{apiPathTenant}}/admin/v1/Apps/7139845c-4ce1-400c-xxxxxxxxxxxx
where 7139845c-4ce1-400c-xxxxxxxxxxxx is the SAML appID in my example
passing the following in the Body (copy the Full Body from the GET on the app API and change the samlEncryptSamlResponse and samlEncryptCertAlias as indicated in the below Example
Remove the Following from the Body otherwise the API will complain
"appId": "7139845c-4ce1-400c-xxxxxxxxxxxx",
"createdDateTime": "2024-08-27 03:14 PM UTC",
Sample Body of a SAML application:
{
"status": "active",
"name": "DemoClient",
"description": "Demo client to perform tenant level operations for demo purpose.",
"appIcon": null,
"idpDiscoveryEnabled": null,
"skewTimeSecs": 0,
"passwordAuthoritativeSource": "remote",
"mitmProtectionLevel": null,
"zeroFootPrint": false,
"idStoreToUse": null,
"softMFAEnabled": false,
"delegatedAuthentication": false,
"flowURL": null,
"deviceCodeFlowURL": null,
"autoPostToFlowURL": false,
"clientType": "TRUSTED",
"clientId": "bcd46bcf-7ec5-417b-xxxxxxxxxxxxx",
"secret": "53f37709-488a-47c7-xxxxxxxxxxxxx",
"assertionVerificationCertAlias": null,
"allowedOpenIDScopes": [
"address",
"phone",
"openid",
"profile",
"urn:iam:scim:core",
"offline_access",
"urn:iam:scim:ssp",
"groups",
"urn:iam:scim:credentials",
"urn:iam:scim:enterprise",
"urn:iam:scim:custom",
"email"
],
"redirectURIs": [
"https://example/sample-rp/oidc/callback"
],
"allowedGrantTypes": [
"refresh_token",
"implicit",
"client_credentials",
"urn:ietf:params:oauth:grant-type:device_code",
"authorization_code",
"sts_confidential",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
],
"allowedOperations": [
"itgroups",
"introspect",
"atgroups"
],
"supportedJoseHeaderParams": null,
"secondaryAudiences": null,
"claims": [],
"userInfoEndpointResponseFormat": "PLAIN_JSON",
"skipIssuerAudienceForIT": false,
"skipEmailForIT": false,
"userTokenSubAttributeMappingName": null,
"customClaimProviderToUse": null,
"itEncryptionTarget": null,
"itEncryptionCertAlias": null,
"userInfoEncryptionCertAlias": null,
"samlEntityId": "https://example.com",
"samlAcsUrl": "https://example/sample-rp/saml/acs",
"samlEnableSingleLogout": false,
"samlNameIdFormat": null,
"samlVerifyRequestSignature": false,
"samlVerifyCertAlias": null,
"samlEncryptSamlResponse": true,
"samlEncryptCertAlias": "<your SP_public_cert_Alias>",
"samlSignResponse": true,
"samlSignAssertion": true,
"samlSignatureWithKeyInfo": false,
"samlIdpInitiatedRelaystateMapping": [],
"samlAssertionClaims": [],
"samlUserTokenSubAttributeMappingName": null,
"samlEffectiveIdpInitiatedUrlWithEntityId": "https://example/default/saml/v1/idp/login?entityId=https://example",
"samlEffectiveIdpInitiatedUrlWithAppId": "https://example/default/saml/v1/idp/login?appId=ea2ce20a-2d0dxxxxxxxx",
"samlEffectiveSpAcsUrlWithEntityId": "https://example/default/saml/v1/sp/acs?sp=https://example",
"samlEffectiveSpAcsUrlWithAppId": "https://example/default/saml/v1/sp/acs?sp=ea2ce20a-2d0d-46e3-xxxxxxxxxxx",
"samlEffectiveSpAcsUrlWithAppName": "https://example/default/saml/v1/sp/acs?sp=DemoClient",
"homeUrl": "https://example/sample-rp/home",
"launcherUrl": null,
"errorUrl": null,
"logoutUrl": null,
"postLogoutUrl": null,
"isOidcApp": false,
"isSamlApp": true,
"isLauncherApp": false,
"requireAccessControl": null
}
Once updated , the SAML Response will be encrypted