Initializing help system before first use

Configuring IdP to use Encrypted Assertions

For additional security, you can encrypt the SAML response returned from the IdP to your Xpress Insight 5 Server, protecting the authentication data from unauthorized access.

The IdP can encrypt the SAML response using the previously generated key. For more on creating the KeyStore, see Configuring Xpress Insight 5 to use SAML 2.0.

The previously generated key is named config/saml2-keystore and is held in the config folder in <SERVER_CONFIG_DIR>.

Note You need to have OpenSSL installed (or another tool able to convert PEM to PKCS12 files) to complete this process.

In this example, we have used Okta as the IdP. The process should be similar for all IdP providers. The example shows the Classic UI.

To configure the IdP to accept the encrypted assertions from Xpress Insight, perform the following steps:
  1. Open a Command Prompt window on the machine hosting the Xpress Insight Server at the following location:
    • In Windows, navigate to C:\ProgramData\FICO\Xpress Insight\Server (default installation settings used).
    • In Linux, navigate to /etc/fico-xpress-insight-server.
  2. In the Command Prompt window, type the following command, using the name saml2-cert: 
    openssl pkcs12 -in saml2-keystore -nokeys -out saml2-cert
    Note This instruction exports the Encryption certificate that you will upload to the IdP. Make a note of where it is stored.
  3. Log in to the administration interface of your instance of Okta.
  4. Select your Xpress Insight 5 tile in the Applications window.
  5. Open the General tab, then select Edit on the SAML Settings pane.
  6. Click Next to open the second page of the Edit SAML Integration wizard.
  7. Click the Advanced Settings link.
  8. Click the Assertion Encryption drop down and select Encrypted. The page updates to display some encryption options.
  9. Update the Encryption Certificate. Click the Browse files button next to the field and navigate to the certificate you exported. The saml2-cert file was saved to:
    • In Windows, C:\ProgramData\FICO\Xpress Insight\Server (default installation settings used).
    • In Linux, /etc/fico-xpress-insight-server.
  10. Click Next and then click Finish.
  11. Finally, navigate to the Xpress Insight 5 Server and verify you can log in to and log out from Insight 5.
Parent Topic Setting up SAML 2.0 Authentication