This article outlines the SAML encryption and signing functionality supported by Terraform Enterprise and provides details on its configuration.
SAML signatures are used to authenticate data sent between an SP and IdP. Additionally, organizations can enhance the security of their SSO by encrypting SAML responses, ensuring that sensitive user data remains protected in transit. This encryption layer adds an additional level of security on top of the digital signatures used for assertion integrity verification.
Terraform Enterprise supports the following encryption-related SAML functionality:
- SAML request signing
- Decrypting SAML assertions
- Verifying IdP signature on SAMLResponse/Assertion
SAML Request Signing
SAML Assertion Encryption
To enable encryption of the IdP SAML assertion, upload the certificate added to the Certificate setting to the IdP and configure the IdP to encrypt SAML assertions. The IdP will encrypt its SAML assertion using the Certificate and Terraform Enterprise will decrypt the assertion using the Private key. Note that assertion encryption/decryption in Terraform Enterprise uses the same Certificate and Private key pair used for SAML request signing.
IdP SAML Assertion Signing
Under Identity Provider Settings add the X.509 signing certificate obtained from the IdP under IDP Certificate. The IdP will sign the SAML response using its private key and Terraform Enterprise will validate the signature using this certificate. To configure Terraform Enterprise to require the IdP sign the SAML Assertion as well, check the Enable WantAssertionsSigned setting.
Note that changes to the settings above, with the exception of the IDP Certificate setting, require Terraform Enterprise to be restarted to take effect. For example, after adding a Certificate and Private key, SAML sign-on attempts will fail with the following error logged in the
tfe-atlas container until the application is restarted:
An EncryptedAssertion found and no SP private key found on the settings to decrypt it.