Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Web App Settings: Encrypt SAML Response - Select Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Web App Settings: Encrypt SAML Response - Select Control

            This security setting cryptographically obfuscates the entire SAML assertion containing user identity and authorization attributes using a public key provided by the service provider before transmission.

            Control Name

            Connected Apps: Web App Settings: Encrypt SAML response - Select

            Recommended Configuration

            Encrypt SAML response - Select.

            Control Overview

            This security setting cryptographically obfuscates the entire SAML assertion containing user identity and authorization attributes using a public key provided by the service provider before transmission.

            Security Risk If Not Configured

            Unencrypted SAML responses for web-connected apps lead to the exposure of sensitive identity attributes and authorization claims to network-level eavesdroppers who can intercept plaintext authentication traffic.

            Threat Scenarios

            An attacker performing a man-in-the-middle attack on an insecure network segment captures a plaintext SAML assertion to extract user identifiers, group memberships, and other personally identifiable information for session hijacking or reconnaissance.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Failure to encrypt the response facilitates the unauthorized harvesting of user metadata and increases the company vulnerability to credential theft and downstream account exploitation across the federated ecosystem.

            Higher Risk When

            The risk is significantly higher when the SAML assertion contains sensitive custom attributes like employee IDs or social security numbers and is transmitted across public or untrusted network infrastructure.

            Low Risk When

            If the org already mandates end-to-end transport layer security and uses short-lived assertions that are restricted to specific, verified IP ranges.

            Business and Integration Considerations

            Implementing assertion encryption requires the service provider to maintain a valid private key to decrypt the incoming payload, which adds a layer of certificate management to the integration lifecycle.

            Recommended Remediation

            Go to the Web App Settings for the Connected App, select the option to Encrypt SAML Response, and upload the encryption certificate provided by the service provider.

            Security Health Review Guidance

            Security Health Review identifies the encryption of SAML responses as a strongly recommended standard to maintain the confidentiality of identity assertions and prevent the leakage of sensitive user metadata during the authentication handshake.

            See Also

             
            Loading
            Salesforce Help | Article