How-to configure SAML Signing and Encryption in Terraform Enterprise

Avatar
Nathan P.
  • Updated

Introduction

This article describes how to configure SAML signing and encryption in Terraform Enterprise.

Overview

SAML signatures authenticate data sent between a Service Provider (SP) and an Identity Provider (IdP). You can enhance the security of your single sign-on (SSO) by encrypting SAML responses, which ensures that sensitive user data remains protected in transit. This encryption layer adds security on top of the digital signatures used for assertion integrity verification.

Terraform Enterprise supports the following encryption-related SAML functionality:

  • SAML request signing
  • IdP SAML response and assertion signing
  • Decrypting SAML assertions

Procedure

Configure SAML Request Signing

To configure Terraform Enterprise to sign its SAML AuthnRequest, select the Enable AuthnRequestsSigned checkbox and add a certificate key pair under Certificate and Private key. Terraform Enterprise signs the SAML request with its Private key, and the IdP validates this signature using the Certificate, which you must upload to the IdP. The Signature Signing Method and Signature Digest Method settings control the signature and digest method for this function.

Configure SAML Assertion Encryption

To enable encryption of the IdP SAML assertion, upload the certificate from the Certificate setting to the IdP and configure the IdP to encrypt SAML assertions. The IdP encrypts its SAML assertion using the Certificate, and Terraform Enterprise decrypts the assertion using the Private key. Assertion encryption and decryption in Terraform Enterprise use the same Certificate and Private key pair as SAML request signing.

Configure IdP SAML Assertion Signing

Under Identity Provider Settings, add the X.509 signing certificate obtained from the IdP to the IDP Certificate field. The IdP signs the SAML response using its private key, and Terraform Enterprise validates the signature using this certificate. To require the IdP to also sign the SAML Assertion, select the Enable WantAssertionsSigned checkbox.

Additional Information

Changes to the settings described above, with the exception of the IDP Certificate setting, require a Terraform Enterprise restart to take effect. For example, after adding a Certificate and Private key, SAML sign-on attempts will fail until you restart the application, and the following error will appear in the tfe-atlas container logs:

An EncryptedAssertion found and no SP private key found on the settings to decrypt it.

For more information, refer to the SAML Configuration in Terraform Enterprise documentation.

Articles in this section

See more

Related articles