Configure SAML assertion encryption in Okta | Trend Micro Service Central

Views:

Configure assertion encryption to secure data transferred between Okta and Trend Cloud One.

Configuring SAML assertion encryption allows you to further secure the connection between Okta and Trend Cloud One by specifying the data encryption algorithm and the key transport algorithm.

Set up Okta with SAML first. For more information, see Okta setup guide.

Important

Install OpenSSL before starting setting the SAML assertion encryption.

To set up SAML assertion encryption:

Procedure

In Trend Cloud One Administration, go to Account Settings → Identity Providers
Click Download Metadata XML for Trend Cloud One
Download the metadata.xml file.
Open metadata.xml with a text editor.

Important

Do not use a browser, as it may cause the CSR (Certificate Signing Request) format to be incorrect.
Copy and save the CSR as saml_encryption.csr
Open the command line interface.

Generate the private key file: by running the following:

openssl genpkey -algorithm RSA -out ca_private_key.pem
                        -pkeyopt
                        rsa_keygen_bits:2048

Generate the certificate file:
1. Enter the following command:
```
openssl req -x509 -new -nodes -key ca_private_key.pem -sha256 -days 1024 -out ca_certificate.pem
```
  -days 1024 sets the validity period of the certificate to 1024 days.
2. Provide the following information when prompted.
  - Country Name (2 Letter code) [AU]: US
  - State or Province Name (full name) [Some-State]: (leave blank)
  - Locality Name (for example, city) [ ]: (leave blank)
  - Organization Name (for example, company) [Internet Widggits Pty Ltd]: Trend Micro
  - Organizational Unit Name (for example, section) [ ]: (leave blank)
  - Common Name (erg. server FODN or YOUR name) [ ]: (leave blank)
  - Email Address [ ]: (leave blank)

Generate the encryption certificate file by running the following:

openssl x509 -req -in saml_encryption.csr -CA
                    ca_certificate.pem -CAkey ca_private_key.pem -CAcreateserial -out
                    certificate.crt -days 1024 -sha256

where -days 1024 sets the validity period of the certificate to 1024 days.

Configure the assertion encryption in Okta:
1. Log in to your Okta organization as a user with administrative privileges.
2. Go to Applications → Applications and in the ACTIVE section, select sso-beta.
3. In the SAML Settings section of the sso-beta screen, click Edit.
4. On the General tab of the Configure SAML screen, click Show Advanced Settings.
5. Next to Assertion Encryption, select Encrypted.
6. Next to Encryption Algorithm, select AES256-CBC
7. Next to Key Transport Algorithm, select RSA-OAEP
8. Next to Encryption Certificate, click Browse files... and elect the certificate.crt file you previously generated.
9. Click Next.
10. Click Finish.