Skip to main content

SAML Encrypted Assertions

What Are SAML Assertions?

SAML assertions are structured messages exchanged between an Identity Provider (IdP) and a Service Provider (SP) to convey user authentication details. They securely confirm the user’s identity, include relevant attributes (such as name or email), and define the user’s permissions or entitlements. The Service Provider’s Assertion Consumer Service (ACS) endpoint receives the SAML response from the IdP and validates it, ensuring the assertion’s authenticity and integrity before granting the user access to the requested resource.

The Service Provider's Assertion Consumer Service (ACS) receives and validates the SAML response from the IdP. This validation ensures the integrity and authenticity of the assertion before granting the user access to the requested service.

Examples of Assertions

SAML assertions commonly contain the following elements:

  • Attributes: Information about the user, such as first name, last name, and email address.

  • X509 Certificate: Used for digital signing and encryption to secure the assertion.

  • Conditions: The validity period of the SAML response, such as start and expiration times.

Using a Certificate Authority (CA)–signed certificate allows us to encrypt and sign these values, safeguard sensitive data from exposure in diagnostic tools (such as Fiddler or SAML Tracer), and provide an additional layer of security.

The public/private key pair is used to:

  • Encrypt the assertion contents on the IdP side.

  • Decrypt the assertion on the SP side before it is parsed by the Assertion Consumer Service (ACS) for authentication and authorization.

The following is a typical example of an Azure SAML response that includes all assertion values. Note the highlighted elements that represent assertions and user attributes.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                ID="_b3056067-2c4e-4986-a339-f3e72f7561f7"
                Version="2.0"
                IssueInstant="2025-05-20T11:19:16.579Z"
                Destination="https://win-8a4sosipqnt.ayx.ayx/webapi/Saml2/Acs"
                InResponseTo="ide3c324bff3394b07b01bb3b05a72ef4f">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Sign in to your account 
    samlp:Status
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
               ID="_d0455c45-8e67-4251-bcdb-a28a3d980100"
               IssueInstant="2025-05-20T11:19:16.575Z"
               Version="2.0">
        <Issuer><Sign in to your account 
        <Signature xmlns="XML-Signature Syntax and Processing ">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="Exclusive XML Canonicalization Version 1.0 " />
                <SignatureMethod Algorithm="xmldsig-more namespace " />
                <Reference URI="#_d0455c45-8e67-4251-bcdb-a28a3d980100">
                    <Transforms>
                        <Transform Algorithm="XML-Signature Syntax and Processing " />
                        <Transform Algorithm="Exclusive XML Canonicalization Version 1.0 " />
                    </Transforms>
                    <DigestMethod Algorithm="XML Encryption Syntax and Processing " />
                    <DigestValue>nifYJfcwJS9/12BHIQIRTkxYfiacs0VuFCKse3BB8/o=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>G91wI5pAmYfDmPgiJXsgHIyZBnZu11g6MM4cBUs/FsI...DA==</SignatureValue>										   
            <KeyInfo>
                <X509Data>
                    <X509Certificate>MIIC8DCCAdigAwIBAgIQd2yxlloAdYxGgD7846TzgTANBgkqhkiG9w0BAQsFAD0MTIwDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aW...</X509Certificate>
                </X509Data>					
            </KeyInfo>
        </Signature>
        <Subject>
            <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">john.doe@alteryx.com</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="ide3c324bff3394b07b01bb3b05a72ef4f"
                                         NotOnOrAfter="2025-05-20T12:19:16.288Z"
                                         Recipient="https://win-8a4sosipqnt.ayx.ayx/webapi/Saml2/Acs"/>
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2025-05-20T11:14:16.288Z"
                    NotOnOrAfter="2025-05-20T12:19:16.288Z">
            <AudienceRestriction>
                <Audience><https://win-8a4sosipqnt.ayx.ayx/webapi/Saml2</Audience>>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
                <AttributeValue>30f6e3b6-e2ba-458d-bc44-60528bee0bd0</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
                <AttributeValue>b64ff4ee-5aef-43be-b767-34a5916d8c03</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
                <AttributeValue><Sign in to your account </AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
                <AttributeValue><http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>>
            </Attribute>
            <Attribute Name="firstName">
                <AttributeValue>John</AttributeValue>
            </Attribute>
            <Attribute Name="lastName">
                <AttributeValue>Doe</AttributeValue>
            </Attribute>
            <Attribute Name="email">
                <AttributeValue>john.doe@alteryx.com</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2025-05-20T11:15:44.607Z"
                        SessionIndex="_d0455c45-8e67-4251-bcdb-a28a3d980100">
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

The following example shows how the structure of a SAML response changes when encryption is applied.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                ID="_1d0164cc-d888-4bbe-a592-9691d593ef51"
                Version="2.0"
                IssueInstant="2025-05-20T11:46:54.689Z"
                Destination="https://win-8a4sosipqnt.ayx.ayx/webapi/Saml2/Acs"
                InResponseTo="id0f8b097a777c4000b671df3a24735c2b">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Sign in to your account 
    samlp:Status
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData xmlns:xenc="XML Encryption Syntax and Processing "
                            Type="XML Encryption Syntax and Processing ">
            <xenc:EncryptionMethod Algorithm="<XML Encryption Syntax and Processing >" />
            <KeyInfo xmlns="<XML-Signature Syntax and Processing >">
                <e:EncryptedKey xmlns:e="<<XML Encryption Syntax and Processing >>">
                    <e:EncryptionMethod Algorithm="<<XML Encryption Syntax and Processing >>">
                        <DigestMethod Algorithm="<<<XML-Signature Syntax and Processing >>>" />
                    </e:EncryptionMethod>
                    <KeyInfo>
                        <o:SecurityTokenReference xmlns:o="<<<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>>>">
                            <X509Data>
                                <X509IssuerSerial>
                                    <X509IssuerName>E=john.doe@alteryx.com, CN=WIN-8A4SOSIPQNT.ayx.ayx, OU=Alteryx, O=Alteryx, L=London, S=uk, C=UK</X509IssuerName>
                                    <X509SerialNumber>705589322655184988706920421358426712185360904869</X509SerialNumber>
                                </X509IssuerSerial>
                            </X509Data>
                        </o:SecurityTokenReference>
                    </KeyInfo>
                    <e:CipherData>
                        <e:CipherValue>LjVyAs89Cw+beqHwM3FxpReIw2cJNIhtBDw0td80Bms8LzzJkW3fc9jg7EQXzfnY0zDOxqpQ6kqxWDV12ypE6v8QnuE0XBaoteQ5XUJfhVAZHlOVRUYdgBVQE10V9uWS+l08lekKVsE8VxGjcSHv8tHiYBiL/EPY2zGSsN9Z8TjHdgLX3uwc0yS1ALAPNK0anvw2yTAvqGEiGrzEy+hvJnxcLHG2paDVJKS5vg7sq1559Tys3oOJOTFSbQNPsHLgXuR/17jcYjT/o8JUcMi8sbjTI/+qs78s6Qar+vVpamHaK15X7Tzq+oegYllJnnxEMeLsEP/7yvcLg0si/D3Z9A==</e:CipherValue>
                    </e:CipherData>
                </e:EncryptedKey>
            </KeyInfo>
            xenc:CipherData
                xenc:CipherValue7ZEiVBzl8oJG65n5v+13NgxYEGcA6h9mXN3trIfYaabWhdEMA3/syn3tHaSIpTwBMK5fJNvdx2A2wDLpimYyL62E5ZUv6TM9M940ZZhVNxoJMw4jq44Gi2FFP31m6eGx7VdvnNUEkS4KqUXUfEpJ0xU4FvacNL0xjqHHyzymZKDEE2HOx7HfumXyBrTDCvhNS4LsuyvGfWzI347VFfYY5AeQoecjl7iz86yYQEJy1v4hkKQM8cW7B73XSXtQ==</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </EncryptedAssertion>
</samlp:Response>

The following is a typical example of an Okta SAML response.

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 xmlns:xs="http://www.w3.org/2001/XMLSchema"
                 Destination="https://pod-7257817.ayxayx.com/webapi/Saml2/acs"
                 ID="id50965160074357029521100546197"
                 InResponseTo="idc87287cb7e35455ebf9489f80841519b"
                 IssueInstant="2025-06-20T09:52:54.867Z"
                 Version="2.0"
                 >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                  >http://www.okta.com/trk2ecrfpfp987hz50h8</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#id50965160074357029521100546197">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                PrefixList="xs"
                                                />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>BMc14bBldK4P1iAqLtP56Bot7P0E2S0VHup3HzrtsYM=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>Fy0VgnTxgCEen8Sg492m6DRC...FYg==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAZbqA94nMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ...</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                     xmlns:xs="http://www.w3.org/2001/XMLSchema"
                     ID="id44750929955808200281100824502"
                     IssueInstant="2025-06-20T09:52:54.867Z"
                     Version="2.0"
                     >
        <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                      Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                      >http://www.okta.com/exk2ecrfpfpXRPhz50h8</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#id44750929955808200281100824502">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                    PrefixList="xs"
                                                    />
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>nGexU5jGle1QoI05VtK5166L/+MGOStNLYvzE6+DDOQ=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>s1edTWDthoPsd3GW40sYg/q5fekNt+O...Ag==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIDpDCCAoygAwAgIGAZbqA94nMA0GCSqGSIb3DQEBAMIGSMQswCQYDVQQGEwJVUzETMBEG
AUECAwKQ...</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">john.doe@alteryx.com</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="idc87287cb7e35455ebf9489f80841519b"
                                               NotOnOrAfter="2025-06-20T09:57:54.867Z"
                                               Recipient="https://pod-7257817.ayxayx.com/webapi/Saml2/acs"
                                               />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                          NotBefore="2025-06-20T09:47:54.867Z"
                          NotOnOrAfter="2025-06-20T09:57:54.867Z"
                          >
            <saml2:AudienceRestriction>
                <saml2:Audience>https://pod-7257817.ayxayx.com/webapi/Saml2</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                              AuthnInstant="2025-06-20T09:36:02.556Z"
                              SessionIndex="idc87287cb7e35455ebf9489f80841519b"
                              >
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:Attribute Name="email"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             >
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >john.doe@alteryx.com</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="firstName"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             >
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >John</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="lastName"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             >
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >Doe</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

The following example shows how the structure of a SAML response changes when encryption is applied.

https://pod-7257817.ayxayx.com/gallery/api/apps/packages/?location=myFiles&offset=0&limit=10&search=&sortField=WorkflowName&direction=asc&packageType=&engineType=&v=1750412946383
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 Destination="https://pod-7257817.ayxayx.com/webapi/Saml2/acs"
                 ID="id-9097293882340198061719617948"
                 InResponseTo="idc2aa4cac47b94800ac3c828ebe932b6e"
                 IssueInstant="2025-06-20T09:48:57.609Z"
                 Version="2.0"
                 >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                  >http://www.okta.com/trk2ecrfpff33RPhz50h8</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#id-9097293882340198061719617948">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>NPm+7AusftaL5NkgOiqZLM2zD6WttP+chxxcJsTjdAU=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>vPn1UPpRFAFV1x/f0J1KHQCrf1hT08CO5mCbC...h7w==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAZbqA94nMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5...</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                            Id="_3baec3e9550a5a64750429fa91b8c573"
                            Type="http://www.w3.org/2001/04/xmlenc#Element"
                            >
            <xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                                   Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"
                                   />
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"
                                    URI="#_e1e7d46469c3dd081df5dfd8b6533708"
                                    />
            </ds:KeyInfo>
            <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:CipherValue>CDruFnE+82tzQjgeNrYwDNQsio8/mH/1ASiZlOpRbxe25ZWTZaJ7ieVOgmf4lrdy1gmLo9DP2kvTOfQNxX79FoJo6c1TAHIuiqGNuHOIK5PQry...z67cng=</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
        <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                           Id="_e1e7d46469c3dd081df5dfd8b6533708"
                           >
            <xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                                   Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
                                   >
                <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                                 Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
                                 />
            </xenc:EncryptionMethod>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>MIIEYzCCA0ugAwIBAgIUeM2hjmWesJsjW7w9cBgchlyAfDcwDQYJKoZIhvcNAQELBQAwgaQxCzAJ
BgNVBAYTAnVrMQswCQYDVQQIDAJ1azE...</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
            <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:CipherValue>TsauMNORZBMHoAt5PxQVfK6d6hc+WLrvxWvzzhVWhJWvKjwWFMYXMJpe1B9VkSD0pnHZ4d7xK2rGQHTqIXhBPOK6lhLbWhtHQ0nLONiIR2/TgaxIA6RGlxBs65jt3B/6J8o4dPWdr9dx5On/HZ/l8LQz7mv0tmlnTb7KnNucDurEb2RlNeTWDTBR77YZzZTav9nyUexyXW/cN1TTQJNcfPTJrwq0zyG/Cwryg3NDJiAdEBnS2ubc8p3xuvEYRK8G/wJz7Xe2NfmzHZeKk8EEIDK/O2DXwil6fnSRHCDCiDb9tYDdYhZAVUbRYPjU15MO/GbmNm8CG2O+o1Uh3GPEXQ==</xenc:CipherValue>
            </xenc:CipherData>
            <xenc:ReferenceList>
                <xenc:DataReference URI="#_3baec3e9550a5a64750429fa91b8c573" />
            </xenc:ReferenceList>
        </xenc:EncryptedKey>
    </saml2:EncryptedAssertion>
</saml2p:Response>

Set Up SAML Token Encryption for Encrypted Assertions in Azure

Note

This section assumes the following prerequisites are already in place:

  • Basic SAML Configuration is completed in both Azure and the Alteryx System Settings.

  • A preconfigured certificate with a private key is available, issued by a valid Certificate Authority (CA).

To set up SAML token encryption for encrypted assertions in Azure...

  1. Sign in to the Azure Portal.

  2. Go to Microsoft Entra ID > Enterprise application.

  3. Search for and select your SAML Application.

  4. Select Token Encryption.

  5. To import your certificate, select Import Certificate. Then upload your public certificate (CRT) file to Azure.

  6. After uploading, select the three-dot menu next to the certificate, and select Activate token encryption certificate.

  7. Ensure that the associated private key is installed in the Windows Certificate Store on the Alteryx Server. Also confirm that the certificate chain and dependencies are correctly located on your machine.

  8. Open Alteryx System Settings on the Server.

  9. Go to Server UI > Authentication.

  10. To enable encryption, select Encrypt Assertions.

  11. In the Decryption Certificate Hash field, enter the thumbprint of the installed certificate's private key.

  12. To finish setup, select Next through the remaining prompts and then Finish.

  13. If successful, the AlteryxService will restart automatically. When SAML authentication is triggered, the SAML assertions and attributes will appear encrypted in SAML trace tools.

Set Up SAML Token Encryption for Encrypted Assertions in Okta

Note

This section assumes the following prerequisites are already in place:

  • Basic SAML Configuration is completed in both Okta and the Alteryx System Settings.

  • A preconfigured certificate with a private key is available, issued by a valid Certificate Authority (CA).

To set up SAML token encryption for encrypted assertions in Okta...

  1. Sign in to the Okta Portal.

  2. From the left navigation pane, select Applications.

  3. Use the search bar to find and select your SAML application.

  4. Select General. Under SAML Settings, select Edit. To proceed, select Next.

  5. Under SAML Settings, select Show Advanced Settings.

  6. Under Assertion Encryption, set the dropdown to Encrypted. You can leave the default algorithms selected.

  7. Under Encryption Certificate, select Browse and upload your public certificate (CRT) file.

  8. To complete the configuration, select Next and then Finish.

  9. Ensure that the associated private key is installed in the Windows Certificate Store on the Alteryx Server. Also confirm that the certificate chain and dependencies are correctly located on your machine.

  10. Open Alteryx System Settings on the Server.

  11. Go to Server UI > Authentication.

  12. To enable encryption, select Encrypt Assertions.

  13. In the Decryption Certificate Hash field, enter the thumbprint of the installed certificate's private key.

Troubleshooting

What Happens If a Decryption Certificate Hash Is Entered Incorrectly?

If the decryption certificate hash is entered incorrectly in the Alteryx System Settings:

  • The AlteryxService fails to start.

  • The SSO logs contain errors similar to the following:

    ERROR,1,AlteryxServerWebApiHost,ssoLogger,ConfigureSamlIdentityProvider,,,,WIN-8A4SOSIPQNT,,,,,,
    Exception thrown when configuring SSO IdP.,
    "System.Exception: Certificate with thumbprint '76634fd5bc020d515fd8218cc7206c9bcb47c91' not found in LocalMachine/Personal store
       at Alteryx.Server.WebApiHost.Services.Impl.Saml2Service.GetX509Certificate2(String certHash)
       at Alteryx.Server.WebApiHost.Services.Impl.Saml2Service.ConfigureSamlIdentityProvider(ILogger ssoLogger, Saml2AuthenticationOptions saml2options)"

What If the PKI Certificate Is Not Available in the Windows Certificate Store?

If the private key infrastructure (PKI) certificate is missing from the Windows Certificate Store, several issues might occur when you validate your SAML configuration:

  • You might encounter the following error when attempting to verify the Identity Provider (IdP):

    Failed to verify with IDP. Check your settings again. 

  • Following a successful sign-in attempt, the browser might return:

    Page Not Found
    The page you are trying to reach does not exist
  • In some cases, the AlteryxService might fail to start.

    To troubleshoot, check the SSO logs for more details. Logs are typically located in C:\ProgramData\Alteryx\logs.

    ERROR,1,AlteryxServerWebApiHost,ssoLogger,ConfigureSamlIdentityProvider,,,,WIN-8A4SOSIPQNT,,,,,,
    Exception thrown when configuring SSO IdP.,
    "System.Exception: Certificate with thumbprint '76634fd5bc020d515fd8218cc7206c9bcb47c91' not found in LocalMachine/Personal store
       at Alteryx.Server.WebApiHost.Services.Impl.Saml2Service.GetX509Certificate2(String certHash)
       at Alteryx.Server.WebApiHost.Services.Impl.Saml2Service.ConfigureSamlIdentityProvider(ILogger ssoLogger, Saml2AuthenticationOptions saml2options)"

What If "Encrypt Assertions" Is Enabled on the IdP but Not in Alteryx?

If the Identity Provider (IdP) is configured to encrypt SAML assertions, but Encrypt Assertions is not enabled in Alteryx System Settings, Alteryx will be unable validate the assertions as the assertions are encrypted with a public key.

Error messages you might encounter:

  • Failed to verify with IDP. Check your settings again. 

  • Page Not Found
    The page you are trying to reach does not exist

Known Defect

Cosmetic UI defect when resizing the Alteryx System Settings window.

TCPE-1590 (GCSE-3302): Both SSL/TLS Cert Hash and Decryption Cert Hash is overlapping when resizing the Alteryx Systems Settings window.