You can enable request signing, signed response, or encrypted assertion to enhance authentication security:
Request signing
A signed authentication request contains a signature to verify the authenticity of the request itself. Informatica, acting as a service provider, sends an authentication request to the identity provider. To maintain the integrity of the request, the authentication request can be signed.
Informatica signs a SAML request using a private key, and the identity provider verifies the signature using the corresponding public certificate.
Informatica sends SAML authentication requests via HTTP-Redirect. The requests use deflate encoding, which puts the signature in a URL parameter.
Signed response
The identity provider responds to authentication requests from a service provider. A signed response contains a signature that the identity provider creates, using an algorithm chosen by the identity provider administrator. Informatica then verifies the signature using the corresponding public certificate that the domain administrator imported to the SAML truststore.
Signed assertion and encrypted assertion
The identity provider sends assertions of authenticity to service providers.
A signed assertion contains a signature that the identity provider creates, using an algorithm chosen by the identity provider administrator. Informatica then verifies the signature using the corresponding public certificate that the domain administrator imported to the SAML truststore. Informatica recommends that you enable the signed assertion.
The Informatica administrator generates an asymmetric key (public-private key).
The assertion can be encrypted by the identity provider using an assertion encryption key, which is a symmetric key generated by the identity provider.
When you enable encrypted assertion, the identity provider also encrypts the symmetric key using the public certificate that the security administrator imported into the identity provider. The SAML response will contain the encrypted assertion and an encrypted symmetric key. Acting as a service provider, Informatica decrypts the encrypted symmetric key using the corresponding private key that the Informatica administrator imports into the SAML keystore. After obtaining the symmetric key, Informatica decrypts the encrypted assertion.
Follow the steps in this section to enable request signing, encrypted assertion, or signed response.