Skip to content

Latest commit

 

History

History
57 lines (45 loc) · 3.55 KB

enabling-encrypted-assertions.md

File metadata and controls

57 lines (45 loc) · 3.55 KB
title shortTitle intro permissions versions type topics redirect_from
Enabling encrypted assertions
Enable encrypted assertions
You can improve {% data variables.location.product_location %}'s security with SAML single sign-on (SSO) by encrypting the messages that your SAML identity provider (IdP) sends.
Site administrators
ghes
*
how_to
Accounts
Authentication
Enterprise
Identity
Security
SSO
/admin/identity-and-access-management/using-saml-for-enterprise-iam/enabling-encrypted-assertions

About encrypted assertions

If your IdP support encryption of assertions, you can configure encrypted assertions on {% data variables.product.prodname_ghe_server %} for increased security during the authentication process.

Prerequisites

To enable encrypted assertions for authentication to {% data variables.product.prodname_ghe_server %}, you must configure SAML authentication, and your IdP must support encrypted assertions.

Enabling encrypted assertions

To enable encrypted assertions, you must provide {% data variables.location.product_location %}'s public certificate to your IdP, and configure encryption settings that match your IdP.

Note

{% data reusables.enterprise.test-in-staging %}

  1. Optionally, enable SAML debugging. SAML debugging records verbose entries in {% data variables.product.prodname_ghe_server %}'s authentication log, and may help you troubleshoot failed authentication attempts. For more information, see AUTOTITLE. {% data reusables.enterprise_site_admin_settings.access-settings %} {% data reusables.enterprise_site_admin_settings.management-console %} {% data reusables.enterprise_management_console.authentication %}
  2. Select Require encrypted assertions.
  3. To the right of "Encryption Certificate", to save a copy of {% data variables.location.product_location %}'s public certificate on your local machine, click Download.
  4. Sign into your SAML IdP as an administrator.
  5. In the application for {% data variables.location.product_location %}, enable encrypted assertions.
    • Note the encryption method and key transport method.
    • Provide the public certificate you downloaded in step 7.
  6. Return to the management console on {% data variables.location.product_location %}.
  7. To the right of "Encryption Method", select the encryption method for your IdP from step 9.
  8. To the right of "Key Transport Method", select the key transport method for your IdP from step 9.
  9. Click Save settings. {% data reusables.enterprise_site_admin_settings.wait-for-configuration-run %}

If you enabled SAML debugging to test authentication with encrypted assertions, disable SAML debugging when you're done testing. For more information, see AUTOTITLE.

SAML signing certificate for AuthnRequests

With encrypted assertions, {% data variables.product.prodname_ghe_server %} relies on the SAML signing certificate private key to decrypt assertions. This certificate is automatically generated when {% data variables.product.prodname_ghe_server %} is set up, and it is valid for 10 years.

You can find more details about the SAML signing certificate, how long it is valid for, and how to regenerate it if needed in AUTOTITLE.