Initializing help system before first use

Configuring IdP to use Encrypted Assertions

For additional security, you can encrypt the SAML response returned from the IdP to your Xpress Insight 5 Server, protecting the authentication data from unauthorized access.

The IdP can encrypt the SAML response using the previously generated key held in the config/saml2-keystore. For more on creating the keystore, see Configuring Xpress Insight 5 to use SAML 2.0.

Note You need to have OpenSSL installed (or other tool able to convert PEM to PKCS12 files) to complete this process.
In this example, we have used Okta as the IdP. The process should be similar for all IdP providers. The example shows the Classic UI.
Note These instructions use the term <INSTALLDATADIR> to describe the path to your installation directory. This path will normally be C:\ProgramData\FICO\Xpress Insight\Server\ unless otherwise set by your IT department.
To configure the IdP to accept the encrypted assertions from Xpress Insight , perform the following steps:
  1. Open a Windows Command Prompt window on the machine hosting the Xpress Insight Server and type the following command : 
    cd  <INSTALLDATADIR>
  2. In the Windows Command Prompt window, type the following command, using the name saml2-cert: 
    openssl pkcs12 -in saml2-keystore -nokeys -out saml2-cert
    Note This instruction exports the Encryption certificate that you will upload to the IdP. Make a note of where it is stored.
  3. Log in to the administration interface of your instance of Okta.
  4. Select your Xpress Insight 5 tile in the Applications window.
  5. Open the General tab, then select Edit on the SAML Settings pane.
  6. Click Next to open the second page of the Edit SAML Integration wizard.
  7. Click the Advanced Settings link.
  8. Click the Assertion Encryption drop down and select Encrypted. The page updates to display some encryption options.
  9. Update the Encryption Certificate. Click the Browse files button next to the field and navigate to the certificate you exported. The saml2-cert file was saved to the <INSTALLDATADIR>.
  10. Click Next and then click Finish.
  11. Finally, navigate to the Xpress Insight 5 Server and verify you can log in to and log out from Insight .
Parent Topic Setting up SAML 2.0 Authentication

© 2001-2020 Fair Isaac Corporation. All rights reserved. This documentation is the property of Fair Isaac Corporation (“FICO”). Receipt or possession of this documentation does not convey rights to disclose, reproduce, make derivative works, use, or allow others to use it except solely for internal evaluation purposes to determine whether to purchase a license to the software described in this documentation, or as otherwise set forth in a written software license agreement between you and FICO (or a FICO affiliate). Use of this documentation and the software described in it must conform strictly to the foregoing permitted uses, and no other use is permitted.