Enabling encryption for SAML based SSO in AppScan Enterprise

When a user login to SP, in this case AppScan Enterprise, a request is sent to IdP for authenticating the user. You can encrypt this process of authentication and approval requests that occur between the SP and IdP by installing a self-signed certificate in the AppScan Enterprise Server.

Before you begin

  • You must be an AppScan Enterprise administrator to enable encryption for SAML.
  • You must have configured SAML SSO service provider in AppScan Enterprise.

About this task

This section explains about enabling encryption for SAML based SSO in AppScan Enterprise.

Procedure

  1. Download openssl-1.0.2j-fips-x86_64 to the computer where you have installed the AppScan Enterprise application.
  2. Stop the HCL Appscan Enterprise Server Service.
  3. Open the terminal and change the directory from root to the locate <openssl directory>\ openssl-1.0.2j-fips-x86_64\OpenSSL\bin where you have downloaded the file.
  4. Run the following commands to generate a self-signed certificate and private key for the application.
    • set OPENSSL_CONF=D:\Downloads\openssl-1.0.2j-fips-x86_64\OpenSSL\bin\openssl.cnf
    • openssl req -newkey rsa:2048 -x509 -keyout cakey.pem -out cacert.pem -days 3650 - This command generates the certificate value.
    • openssl pkcs12 -export -in cacert.pem -inkey cakey.pem -out identity.p12 -name "<password provided during certification generation>"
    • openssl pkcs8 -topk8 -inform pem -nocrypt -in cakey.pem -outform pem -out sp.pem - This command generates the sp.pem file containing the private key value.
    The certificate and private key values are generated.
  5. Convert the certificate and private key values into single line strings using the https://www.samltool.com/format_x509cert.php tool.
  6. Copy the converted certificate string value and the private key to a notepad.
  7. Go to the server where you have installed the AppScan Enterprise application.
  8. Navigate to the configuration files folder in the installation directory where the AppScan Enterprise software package is installed. For example: <installation directory>\AppScan Enterprise\Liberty\usr\servers\ase\config.
  9. Locate and open the SAML configuration properties, onelogin.saml.properties, file in a text editor.
  10. Update the generated values of the custom properties value as mentioned in the following table:
    SAML propertyProperty values to update
    onelogin.saml2.sp.x509cert Update the value with the generated and converted self-signed certificate value.
    onelogin.saml2.sp.privatekey Update with the converted private key value.
    onelogin.saml2.strict Set the value to true
    onelogin.saml2.security.nameid_encrypted Set the value to true
    onelogin.saml2.security.authnrequest_signed Set the value to true
    onelogin.saml2.security.want_assertions_signed Set the value to true
    onelogin.saml2.security.want_xml_validation Set the value to true
  11. After updating the onelogin.saml.properties file, save and close the file.
  12. Run Configuration wizard and select the self-signed certificate that was generated to be used by the Liberty Server.
  13. Restart HCL Appscan Enterprise Server Service.