Enhanced Authentication Security
You can enable request signing, signed response, or encrypted assertion to enhance authentication security:
- Request signing
- A signed authentication request contains a signature to verify the authenticity of the request itself. Informatica, acting as a service provider, sends an authentication request to the identity provider. To maintain the integrity of the request, the authentication request can be signed.
- Informatica signs a SAML request using a private key, and the identity provider verifies the signature using the corresponding public certificate.
- Informatica sends SAML authentication requests via HTTP-Redirect. The requests use deflate encoding, which puts the signature in a URL parameter.
- Signed response
The identity provider responds to authentication requests from a service provider. A signed response contains a signature that the identity provider creates, using an algorithm chosen by the identity provider administrator. Informatica then verifies the signature using the corresponding public certificate that the domain administrator imported to the SAML truststore.
- Signed assertion and encrypted assertion
- The identity provider sends assertions of authenticity to service providers.
- A signed assertion contains a signature that the identity provider creates, using an algorithm chosen by the identity provider administrator. Informatica then verifies the signature using the corresponding public certificate that the domain administrator imported to the SAML truststore. Informatica recommends that you enable the signed assertion.
- The Informatica administrator generates an asymmetric key (public-private key).
- The assertion can be encrypted by the identity provider using an assertion encryption key, which is a symmetric key generated by the identity provider.
- When you enable encrypted assertion, the identity provider also encrypts the symmetric key using the public certificate that the security administrator imported into the identity provider. The SAML response will contain the encrypted assertion and an encrypted symmetric key. Acting as a service provider, Informatica decrypts the encrypted symmetric key using the corresponding private key that the Informatica administrator imports into the SAML keystore. After obtaining the symmetric key, Informatica decrypts the encrypted assertion.
Follow the steps in this section to enable request signing, encrypted assertion, or signed response.
Request Signing
You can enable request signing during the install-upgrade process or after install-upgrade by using infasetup.
During the installation or upgrade process, check the Signed request option in the installer utility.
After the installation or upgrade process, set up request signing using infasetup.
You can also configure request signing for the web applications using the Administrator tool or the web application user interface.
infasetup
To use infasetup, use the following options with the infasetup updateDomainSamlConfig command:
- •[<-SignSamlRequest|-ssr> sign_smal_request]
- •[<-RequestSigningPrivateKeyAlias|-rspa> saml_request_signing_private_key_alias]
- •[<-RequestSigningPrivateKeyPassword|-rspp> saml_request_signing_private_key_password]
- •[<-RequestSigningAlgorithm|-rsa> saml_request_signing_algorithm]
For details about these commands, see the Informatica Command Reference.
Administrator Tool
Configure request signing in the Administrator tool.
1. In the Domain Navigator, select the domain node.
2. In the node properties, click the Edit icon in the SAML Configuration section.
3. Select Enable Signing Request.
4. Populate the following properties:
- - Signing Private Key Alias
- - Signin Private Key Password
- - Signing Algorithm
5. Click OK.
6. Restart the domain.
Signed Response
Enable signed response to allow the identity provider to sign the authentication request responses from the service provider.
You can enable signed response during the install-upgrade process or after install-upgrade by using infasetup.
During the installation or upgrade process, check the Signed response option in the installer utility.
After the installation or upgrade process, set up response signing using infasetup.
You can also configure signed response for the web applications using the Administrator tool or the web application user interface.
Note: The Okta SSO identity provider does not support signed response.
infasetup
To use infasetup, use the following options with the infasetup updateDomainSamlConfig command:
- •[<-SamlResponseSigned|-srs> saml_response_signed]
- •[<-ResponseSigningCertificateAlias|-rsca> idp_response_signing_certificate_alias]
For details about these commands, see the Informatica Command Reference.
Administrator Tool
Configure response signing in the Administrator tool.
1. In the Domain Navigator, select the domain node.
2. In the node properties, click the Edit icon in the SAML Configuration section.
3. Select Enable Response Signing.
4. Populate the Response Signing Certificate Alias property.
5. Click OK.
6. Restart the domain.
Encrypted Assertion
Enable encrypted assertion to allow the identity provider to encrypt assertions of authenticity using a symmetric key.
You can enable assertion signing or encrypted assertion during the install-upgrade process or after install-upgrade by using infasetup.
During the installation or upgrade process, check the Encrypt assertion option in the installer utility.
After the installation or upgrade process, set up encrypted assertion using infasetup.
You can also configure signed response for the web applications using the Administrator tool or the web application user interface.
infasetup
To use infasetup, use the following options with the infasetup updateDomainSamlConfig command:
- •[<-SamlAssertionEncrypted|-sae> saml_assertion_encrypted]
- •[<-EncryptedAssertionPrivateKeyAlias|-eapa> saml_encrypted_assertion_private_key_alias]
- •[<-EncryptedAssertionPrivateKeyPassword|-eapp> saml_encrypted_assertion_private_key_password]
For details about these commands, see the Informatica Command Reference.
Administrator Tool
Configure encrypted assertion in the Administrator tool.
1. In the Domain Navigator, select the domain node.
2. In the node properties, click the Edit icon in the SAML Configuration section.
3. Select Enable Assertion Encryption.
4. Populate the following properties:
- - Encryption Assertion Private Key Alias
- - Encryption Assertion Private Key Password
5. Click OK.
6. Restart the domain.