58 lines
3.5 KiB
Markdown
58 lines
3.5 KiB
Markdown
---
|
|
title: Enabling encrypted assertions
|
|
shortTitle: Enable encrypted assertions
|
|
intro: 'You can improve {% data variables.location.product_location %}''s security with SAML single sign-on (SSO) by encrypting the messages that your SAML identity provider (IdP) sends.'
|
|
permissions: Site administrators
|
|
versions:
|
|
ghes: '*'
|
|
type: how_to
|
|
topics:
|
|
- Accounts
|
|
- Authentication
|
|
- Enterprise
|
|
- Identity
|
|
- Security
|
|
- SSO
|
|
redirect_from:
|
|
- /admin/identity-and-access-management/using-saml-for-enterprise-iam/enabling-encrypted-assertions
|
|
---
|
|
|
|
## About encrypted assertions
|
|
|
|
If your IdP support encryption of assertions, you can configure encrypted assertions on {% data variables.product.prodname_ghe_server %} for increased security during the authentication process.
|
|
|
|
## Prerequisites
|
|
|
|
To enable encrypted assertions for authentication to {% data variables.product.prodname_ghe_server %}, you must configure SAML authentication, and your IdP must support encrypted assertions.
|
|
|
|
## Enabling encrypted assertions
|
|
|
|
To enable encrypted assertions, you must provide {% data variables.location.product_location %}'s public certificate to your IdP, and configure encryption settings that match your IdP.
|
|
|
|
> [!NOTE]
|
|
> {% data reusables.enterprise.test-in-staging %}
|
|
|
|
1. Optionally, enable SAML debugging. SAML debugging records verbose entries in {% data variables.product.prodname_ghe_server %}'s authentication log, and may help you troubleshoot failed authentication attempts. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/troubleshooting-saml-authentication#configuring-saml-debugging).
|
|
{% data reusables.enterprise_site_admin_settings.access-settings %}
|
|
{% data reusables.enterprise_site_admin_settings.management-console %}
|
|
{% data reusables.enterprise_management_console.authentication %}
|
|
1. Select **Require encrypted assertions**.
|
|
1. To the right of "Encryption Certificate", to save a copy of {% data variables.location.product_location %}'s public certificate on your local machine, click **Download**.
|
|
1. Sign into your SAML IdP as an administrator.
|
|
1. In the application for {% data variables.location.product_location %}, enable encrypted assertions.
|
|
* Note the encryption method and key transport method.
|
|
* Provide the public certificate you downloaded in step 7.
|
|
1. Return to the management console on {% data variables.location.product_location %}.
|
|
1. To the right of "Encryption Method", select the encryption method for your IdP from step 9.
|
|
1. To the right of "Key Transport Method", select the key transport method for your IdP from step 9.
|
|
1. Click **Save settings**.
|
|
{% data reusables.enterprise_site_admin_settings.wait-for-configuration-run %}
|
|
|
|
If you enabled SAML debugging to test authentication with encrypted assertions, disable SAML debugging when you're done testing. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/troubleshooting-saml-authentication#configuring-saml-debugging).
|
|
|
|
## SAML signing certificate for AuthnRequests
|
|
|
|
With encrypted assertions, {% data variables.product.prodname_ghe_server %} relies on the SAML signing certificate private key to decrypt assertions. This certificate is automatically generated when {% data variables.product.prodname_ghe_server %} is set up, and it is valid for 10 years.
|
|
|
|
You can find more details about the SAML signing certificate, how long it is valid for, and how to regenerate it if needed in [AUTOTITLE](/admin/managing-iam/iam-configuration-reference/saml-configuration-reference#saml-signing-certificate-for-authnrequests).
|