VIP AuthHub - How to encrypt assertion body
search cancel

VIP AuthHub - How to encrypt assertion body

book

Article ID: 380944

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

How to enable encryption of the assertion body using API

Environment

All VIP AuthHub 

Resolution

The below steps can be used to enable SAML assertion encryption or a specific SAML Application in AuthHub

1) Identify the app Id you are using for federation GET https://{{sspHost}}/{{apiPathTenant}}/admin/v1/Apps

2) Import the public cert provided by the SP  (using the https://{{sspHost}}/{{apiPathTenant}}/admin/v1/Certs) so you can use it to encrypt the SAML Response 

3) update the SAML Application using PUT https://{{sspHost}}/{{apiPathTenant}}/admin/v1/Apps/7139845c-4ce1-400c-xxxxxxxxxxxx

where 7139845c-4ce1-400c-xxxxxxxxxxxx   is the SAML appID in my example 

passing the following in the Body (copy the Full Body from the GET on the app API and change the samlEncryptSamlResponse and samlEncryptCertAlias as indicated in the below Example

 

Remove the Following from the Body otherwise the API will complain

        "appId": "7139845c-4ce1-400c-xxxxxxxxxxxx",
        "createdDateTime": "2024-08-27 03:14 PM UTC",

 

Sample Body of a SAML application:

{
        "status": "active",
        "name": "DemoClient",
        "description": "Demo client to perform tenant level operations for demo purpose.",
        "appIcon": null,
        "idpDiscoveryEnabled": null,
        "skewTimeSecs": 0,
        "passwordAuthoritativeSource": "remote",
        "mitmProtectionLevel": null,
        "zeroFootPrint": false,
        "idStoreToUse": null,
        "softMFAEnabled": false,
        "delegatedAuthentication": false,
        "flowURL": null,
        "deviceCodeFlowURL": null,
        "autoPostToFlowURL": false,
        "clientType": "TRUSTED",
        "clientId": "bcd46bcf-7ec5-417b-xxxxxxxxxxxxx",
        "secret": "53f37709-488a-47c7-xxxxxxxxxxxxx",
        "assertionVerificationCertAlias": null,
        "allowedOpenIDScopes": [
            "address",
            "phone",
            "openid",
            "profile",
            "urn:iam:scim:core",
            "offline_access",
            "urn:iam:scim:ssp",
            "groups",
            "urn:iam:scim:credentials",
            "urn:iam:scim:enterprise",
            "urn:iam:scim:custom",
            "email"
        ],
        "redirectURIs": [
            "https://example/sample-rp/oidc/callback"
        ],
        "allowedGrantTypes": [
            "refresh_token",
            "implicit",
            "client_credentials",
            "urn:ietf:params:oauth:grant-type:device_code",
            "authorization_code",
            "sts_confidential",
            "urn:ietf:params:oauth:grant-type:jwt-bearer"
        ],
        "allowedOperations": [
            "itgroups",
            "introspect",
            "atgroups"
        ],
        "supportedJoseHeaderParams": null,
        "secondaryAudiences": null,
        "claims": [],
        "userInfoEndpointResponseFormat": "PLAIN_JSON",
        "skipIssuerAudienceForIT": false,
        "skipEmailForIT": false,
        "userTokenSubAttributeMappingName": null,
        "customClaimProviderToUse": null,
        "itEncryptionTarget": null,
        "itEncryptionCertAlias": null,
        "userInfoEncryptionCertAlias": null,
        "samlEntityId": "https://example.com",
        "samlAcsUrl": "https://example/sample-rp/saml/acs",
        "samlEnableSingleLogout": false,
        "samlNameIdFormat": null,
        "samlVerifyRequestSignature": false,
        "samlVerifyCertAlias": null,
        "samlEncryptSamlResponse": true,
        "samlEncryptCertAlias": "<your SP_public_cert_Alias>",
        "samlSignResponse": true,
        "samlSignAssertion": true,
        "samlSignatureWithKeyInfo": false,
        "samlIdpInitiatedRelaystateMapping": [],
        "samlAssertionClaims": [],
        "samlUserTokenSubAttributeMappingName": null,
        "samlEffectiveIdpInitiatedUrlWithEntityId": "https://example/default/saml/v1/idp/login?entityId=https://example",
        "samlEffectiveIdpInitiatedUrlWithAppId": "https://example/default/saml/v1/idp/login?appId=ea2ce20a-2d0dxxxxxxxx",
        "samlEffectiveSpAcsUrlWithEntityId": "https://example/default/saml/v1/sp/acs?sp=https://example",
        "samlEffectiveSpAcsUrlWithAppId": "https://example/default/saml/v1/sp/acs?sp=ea2ce20a-2d0d-46e3-xxxxxxxxxxx",
        "samlEffectiveSpAcsUrlWithAppName": "https://example/default/saml/v1/sp/acs?sp=DemoClient",
        "homeUrl": "https://example/sample-rp/home",
        "launcherUrl": null,
        "errorUrl": null,
        "logoutUrl": null,
        "postLogoutUrl": null,
        "isOidcApp": false,
        "isSamlApp": true,
        "isLauncherApp": false,
        "requireAccessControl": null
    }

 
Once updated , the SAML Response will be encrypted