Initializing help system before first use

Configuring IdP to use Encrypted Assertions

For additional security, you can encrypt the SAML response returned from the IdP to your Xpress Insight Server, protecting the authentication data from unauthorized access.

The IdP can encrypt the SAML response using the previously generated key. For more on creating the KeyStore, see Configuring Xpress Insight to use SAML 2.0.

The previously generated key is named config/saml2-keystore and is held in the config folder in <SERVER_CONFIG_DIR>.

Note: You need to have OpenSSL installed (or another tool able to convert PEM to PKCS12 files) to complete this process.

In this example, we have used Okta as the IdP. The process should be similar for all IdP providers. The example shows the Classic UI.

To configure the IdP to accept the encrypted assertions from Xpress Insight, perform the following steps:
  1. Open a Command Prompt window on the machine hosting the Xpress Insight Server at the following location:
    • In Windows, navigate to C:\ProgramData\FICO\XpressInsight\Server (default installation settings used).
    • In Linux, navigate to /etc/fico-xpress-insight-server.
  2. In the Command Prompt window, type the following command, using the name saml2-cert: 
    openssl pkcs12 -in saml2-keystore -nokeys -out saml2-cert
    Note: This instruction exports the Encryption certificate that you will upload to the IdP. Make a note of where it is stored.
  3. Log in to the administration interface of your instance of Okta.
  4. Select your Xpress Insight tile in the Applications window.
  5. Open the General tab, then select Edit on the SAML Settings pane.
  6. Click Next to open the second page of the Edit SAML Integration wizard.
  7. Click the Advanced Settings link.
  8. Click the Assertion Encryption drop down and select Encrypted. The page updates to display some encryption options.
  9. Update the Encryption Certificate. Click the Browse files button next to the field and navigate to the certificate you exported. The saml2-cert file was saved to:
    • In Windows, C:\ProgramData\FICO\XpressInsight\Server (default installation settings used).
    • In Linux, /etc/fico-xpress-insight-server.
  10. Click Next and then click Finish.
  11. Finally, navigate to the Xpress Insight Server and verify you can log in to and log out from Insight 5.
Parent Topic Setting up SAML 2.0 Authentication

© 2001-2024 Fair Isaac Corporation. All rights reserved. This documentation is the property of Fair Isaac Corporation (“FICO”). Receipt or possession of this documentation does not convey rights to disclose, reproduce, make derivative works, use, or allow others to use it except solely for internal evaluation purposes to determine whether to purchase a license to the software described in this documentation, or as otherwise set forth in a written software license agreement between you and FICO (or a FICO affiliate). Use of this documentation and the software described in it must conform strictly to the foregoing permitted uses, and no other use is permitted.