Enable SAML response encryption

To increase the security of the communication between Collibra Data Intelligence Platform and an SSO provider, Collibra supports encrypted SAML responses.

Prerequisites

  • You can access the Collibra REST API.

Steps

Enable response decryption

  1. Open the DGC service settings for editing:
  2. In the Security configuration section, click SSO.
  3. Set the option Response decryption mode to OPTIONAL or FORCED.

    An encryption key pair is generated and added to the SAML keystore. A self-signed encryption certificate is generated and works in most situations.

    SAML decryption response mode
  4. Click Save all.

Provide encryption certificate to Identity Provider

The encryption certificate of Collibra has to be imported in the Identity Provider. You can retrieve this encryption certificate via the Collibra REST API.

  1. Retrieve the certificate via the endpoint at /rest/2.0/security/saml and copy the base64 representation of the encryption certificate.
    Example SAML REST API endpoint
  2. Copy the content of the ds:X509Certificate element into a PEM file. A PEM file is a plain text file with the extension pem.
    -----BEGIN CERTIFICATE-----
    MIICrDCCAZSgAwIBAgI...
    -----END CERTIFICATE-----
  3. Provide this PEM file to an administrator of the Identity Provider who can load it into the IdP.

What's next?

Your Collibra Data Intelligence Platform environment is configured to accept encrypted SAML responses.

If your Identity Provider does not accept self-signed certificates, contact Collibra Support.