Decrypt SAML Assertions
The encryption and decryption process in a SAML-based Single Sign-On (SSO) system relies on a pair of keys: a public key and a private key. This pair of keys is used to ensure secure communication between two parties, namely the Identity Provider (IdP) and the C3 Agentic AI Platform, which acts as the Service Provider (SP).
The IdP encrypts a the SAML assertion using the SP's public key. This encrypted assertion can only be decrypted using the corresponding private key. By configuring the private key using Config, the C3 Agentic AI Platform can decrypt the SAML assertion, verify the authenticity of the user and the IdP, and securely grant appropriate access to the user.
Provision CryptoPrivateKey and CryptoPublicKey
The CryptoKeyPair is a representation of a CryptoPrivateKey and CryptoPublicKey key pair. In the C3 Agentic AI Platform, the way to pair a CryptoPrivateKey and a CryptoPublicKey is to create them with the same ID when setting them in your C3 AI configuration.
To decrypt an encrypted SAML assertion coming from an Identity Provider(IdP), a CryptoPrivateKey is required.
The provisioned CryptoPrivateKey should be the private key corresponding to the public key that the IdP used to encrypt the SAML assertion content. By simply calling CryptoPrivateKey.setSecret, the C3 Agentic AI Platform can securely store the private key.
If the CryptoPrivateKey.setSecret is protected by a passphrase, CryptoPrivateKey.passphrase should be populated when creating the secret configuration.
Default CryptoPrivateKey
By default, when calling Saml.generateSpSsoArtifacts the default CryptoPrivateKey used to decrypt encrypted SAML assertions is the one with id as fully qualified domain name.
If the SAML assertion is not encrypted no CryptoPrivateKey can be used.
Custom CryptoPrivateKey
Rather than using the default CryptoPrivateKey whose id is the fully qualified domain name, you can configure it to use a different key by specifying a different id and passing it to the Saml.updateSpKeyPair function. After doing that, the ensuing encrypted SAML assertions can be decrypted using the key with the id you specified.