Loading
search-img
Title
SAML Upgrade in Code Insight 2025 R4

Summary

This article outlines the new SAML configuration requirements introduced in Code Insight 2025 R4 as part of the SAML upgrade. The release transitions Code Insight to a fully standards-based SAML 2.0 implementation and deprecates several legacy SAML 1.0 configuration files and properties. 

As a result, existing environments must update their Service Provider (SP) and Identity Provider (IdP) configurations—specifically the SSO URLs, metadata handling, and property file structure—to ensure successful SSO authentication after upgrading.

This KB describes the required changes, highlights deprecated settings, and provides guidance for updating IdP configurations accordingly.

Symptoms

After upgrading to Code Insight 2025 R4, environments using SAML-based Single Sign-On may observe one or more of the following issues:

  • SSO authentication fails, and users are unable to log in through the Identity Provider (IdP).
  • The IdP redirects to outdated or invalid SSO endpoints (such as legacy /saml/login URLs).
  • The IdP metadata no longer matches the updated Service Provider (SP) configuration.
  • Previously functioning configurations break due to deprecated SAML 1.0 properties or missing SAML 2.0 parameters.
  • Requests appear unsigned or assertions are rejected even though signing was enabled prior to the upgrade.

These issues commonly occur when the IdP has not been updated to use the new SAML 2.0 URLs, dynamically generated metadata, or revised property fields introduced in 2025 R4.

Resolution

Follow these steps for configuring Code Insight for SSO:

Step 1: Copy the Directory That Will Contain Provider Metadata

Copy the security directory from SCA_install_home/samples/sso/config/core to SCA_install_home/config/core.

This directory will serve as the storage location for the Service Provider and Identity Provider metadata files, as described in Step 4: Customize the Sample Service Provider Metadata File and Step 5: Obtain the Identity Provider Metadata File.

Step 2: Prepare the Environment Properties File

This step prepares the env.properties file to enable SSO on the Code Insight server.

To prepare the env.properties file, do the following:

  1. Copy the env.properties file from SCA_install_home/samples/sso/config to SCA_install_home/config/core.
  2. In a text editor, open the SCA_install_home/config/core/env.properties file, and ensure that the value of the following property is set to 'sso'.
    1. spring.profiles.active=sso
  3. Save the file.

Step 3: Configure the SSO Common Properties File

This step configures the core.sso.common.properties file to enable SSO on the Code Insight server.

To prepare the core.sso.common.properties file, do the following:

  1. Copy the core.sso.common.properties file from SCA_install_home/samples/sso/config to SCA_install_home/config/core.
  2. In a text editor, open the SCA_install_home/config/core/core.sso.common.properties file. The following shows the file contents:

Update the properties (highlighted above) required for Service Provider security and identification, and then save the file. The properties that you need to edit or that require explicit configuration are described in this table:

SSO Property

Description

saml.keystore

Enter the path and name of the keystore that you created for SSO.

This can be the same keystore that you are using for HTTPS or a

different one. See Configure HTTPS on the Code Insight Server in

the “Installing Code Insight” chapter for more information.

saml.keystore.password

Enter the password for the keystore.

saml.keystore.alias

Enter the alias defined for the private key contained in the keystore.

saml.keystore.alias.password

Enter the password for the private key alias.

saml.entity.id

Enter a unique identifier for your Code Insight server as a Service

Provider. The recommended value is the hostname for the Code

Insight server.

Note that, even though the server’s hostname is the recommended

value, the entity ID is an immutable value identifying the Service

Provider in an SSO session; it is not used to identify a location.

saml.base.url

The HTTPS URL handling the Service Provider’s user sign-in

requests. This is usually the URL for your Code Insight server in

HTTPS://myhost.mycompany.com:port format. Note that the default

port for the Code Insight server is 8443.

saml.registration.id

Enter a unique identifier to register the Service Provider configuration in order to enable the SSO service. This ID is used internally to distinguish between multiple Service Provider configurations and is included in the SSO endpoint URL, for example:

https://myhost.mycompany.com:8443/login/saml2/sso/{registrationId}

Use a short, descriptive, and URL-friendly name (e.g., codeinsight, SSO, or your organization's name). This value must match the

identifier expected by your Identity Provider in the SSO service request URL.

Note : This is the new property added in 2025 R4 for SAML 2.0 compatibility. The saml.entity.id property is used within SSO assertions and metadata, whereas the saml.registration.id property is used to construct and route internal URLs within the application.

saml.signing.enabled

Specify whether the SSO service requests generated by the Service Provider should be digitally signed.

• Set this property to true if your Identity Provider (IdP) requires signed authentication requests.

• Set to property to false if your Identity Provider (IdP) does not require signed requests

Note: This is the new property added in 2025 R4 for SAML 2.0 compatibility. Prior to Code Insight 2025 R4 release, this behavior was configured in the SPMetadata.xml file using the requestSigned and wantAssertionSigned properties

Note: Starting in the Code Insight 2025 R4 release, the following properties are no longer supported or available in the core.sso.common.properties file to enable the SSO service in the Code Insight server:

  • saml.metadata.alias
  • saml.metadata.idpDiscovery URL
  • saml.metadata.idpDiscovery ResponseURL
  • saml.metadata.signingKey
  • saml.metadata.encryptionKey
  • saml.metadata.tlsKey

However, the above listed properties are valid and can be configured in the core.sso.common.properties file if your Code Insight server is operating on a version prior to Code Insight 2025 R4 release.

Step 4: Customize the Sample Service Provider Metadata File

This step customizes the sample Service Provider metadata file for your Code Insight server.

Note: Starting in the Code Insight 2025 R4, the application no longer uses the SPMetadata.xml file at runtime. Instead, all necessary Service Provider metadata is dynamically generated based on the values specified in the core.sso.common.properties file. As a result, manual creation or editing of the SPMetadata.xml file is no longer required when configuring SSO in current versions.

However, some Identity Providers may still require the SPMetadata.xml file during the initial SSO integration process. In such cases, even though the application does not rely on it at runtime, you can manually generate or update the file using the metadata values configured in your environment.

Alternatively, you can download the dynamically generated metadata directly from the application using the following URL:

https://<FULLY_QUALIFIED_HOSTNAME>:8443/codeinsight/saml2/service-provider-metadata/<REGISTRATION_ID>

The REGISTRATION_ID must match the value that is set for the saml.registration.id property in the core.sso.common.properties file.

To customize the sample Service Provider metadata file, do the following:

  1. In a text editor, open the SCA_install_home/config/core/security/SPMetadata.xml file.
  2. Update the following properties, and save the file:

SSO Property

Description

entityID="ENTITY_VALUE"

Replace ENTITY_VALUE with the same entity ID as the one you

provided the env.properties file in Step 2: Prepare the Environment

Properties File.

SingleLogoutService...

FULLY_QUALIFIEDHOSTNAME...

Replace FULLY_QUALIFIEDHOSTNAME with the fully qualified hostname

of the Code Insight server.

AssertionConsumerService...

FULLY_QUALIFIEDHOSTNAME...

Replace FULLY_QUALIFIEDHOSTNAME with the fully qualified hostname

of the Code Insight server.

requestSigned

Set to true to indicate that the Service Provider must sign authentication requests

wantAssertionSigned

Set to true to indicate that the Service Provider requires signed assertions received from Identity Provider.

 

Step 5: Obtain the Identity Provider Metadata File

This final step in setting up SSO for Code Insight is to obtain the Identity Provider metadata file. The Identity Provider might require that you send the Code Insight SPMetadata.xml file (set up in Step 4: Customize the Sample Service Provider Metadata File) in order to provide the Identity Provider metadata file.

Alternatively, you might be required to generate the Identity Provider metadata file using the Identity Provider UI.

You will need to provide the single-sign-on URL for Code Insight (also specified in the SPMetadata.xml):

https://myhost.mycompany.com:8443/codeinsight/login/saml2/sso/REGISTRATIO_ID

The REGISTRATION_ID must match the value set for the saml.registration.id property in the core.sso.common.properties file

Note: For users migrating from an older version of Code Insight to Code Insight 2025 R4 or later, it is essential to update the single sign-on (SSO) URL in the Identity Provider (IdP) configuration. Failing to update these URLs may lead to authentication failures, as the IdP could attempt to communicate with outdated SSO endpoints that are no longer valid in the updated SSO configuration.

Example Okta IDP SSO URL Configuration:

 

Example Azure IDP SSO URL Configuration: 

To obtain the Identity Provider metadata, do the following:

  1. Follow the Identity Provider’s instructions for obtaining the Identity Provider metadata.
  2. Once you obtain the Identity Provider metadata, save it as IDPMetadata.xml in the SCA_install_home/config/core/security directory.

(Optional) Configuring Code Insight to Sign SAML Requests

The following procedure describes how to configure Code Insight (as the Service Provider) to sign all SAML requests sent to the Identity Provider. While this task is optional in configuring Code Insight for SSO, you might need to perform it if your organization’s security policy requires such a signature.

Note: Starting with 2025 R4, Code Insight no longer requires the legacy bean configuration for signing SAML authentication requests. This bean should be removed, as leaving it in place may cause the Code Insight server to fail during startup.

To configure Code Insight to sign SAML requests sent to the Identity Provider in 2025 R4 or later, follow below steps:

1. Provide the name ID policy required for the SAML-request signatures.

    1. Locate the following file in your Code Insight installation and open it in a text editor: tomcat/webapps/codeinsight/WEB-INF/classes/application-security-common.xml
    2. Add the following line to the file contents: <import resource="classpath:saml-nameidpolicy-config.xml" />
    3. Save the file.
    4. Navigate to the following folder in your Code Insight installation: tomcat/webapps/codeinsight/WEB-INF/classes/
    5. Download the attached saml-nameidpolicy-config.xml file and copy it to this directory.

Note: If your IdP requires a different NameIDFormat (for example, emailAddress, transient, persistent, etc.), update the following value in the saml-nameidpolicy-config.xml file: 

<lang:property name="nameIdFormat" value="${saml.nameid.format:urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified}" />

Replace the default value urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified with the NameIDFormat required by your IdP.

2. Configure Code Insight to sign all SAML requests. 

    1. Locate the following file in your Code Insight installation and open it in a text editor: config\core\core.sso.common.properties
    2. In the file, set the saml.signing.enabled property to true.
    3. Save the file.

3. Restart the Tomcat server to put this entire configuration into effect.

 

Was this helpful?
Support Hub
Create a case with Support
0/255
Upload Attachment
File Upload
Maximum file size allowed is 3 MB.
File type not supported.
Supported file types:
Documents (.txt, .doc, .docx, .pdf), Images (.jpg, .png), Comma Separated Files (.csv) Speadsheets (.xlsx, .xls)

Are you sure you want to cancel the case creation?

Are you sure you want to close this case

Get Hotline support
Products Region Phone Numbers
FlexNet Operations
FlexNet Embedded
FlexNet Publisher
FlexNet Connect
FlexNet Code Insight
InstallAnywhere
InstallShield 		North America  * +1 630-332-2513 (toll)
+1 877-279-2853 (toll-free in North America)
Europe  * +44 1925 944367 (toll)
+44 800 047 8642 (toll-free in Europe)
Japan  * +81 3-4540-5335 (select option 2)
Australia  * +61 3 9895 2177
+61 1800 560 603 (toll-free in Australia)
Usage Intelligence (formerly Revulytics)
Compliance Intelligence 		Please use the Case Portal to submit your support ticket or reach out to your Revenera contact.
Book an Appointment
File Upload
Maximum file size allowed is 3 MB.
File type not supported.
Supported file types:
Documents (.txt, .doc, .docx, .pdf), Images (.jpg, .png), Comma Separated Files (.csv) Speadsheets (.xlsx, .xls)
+1.800.374.4353
CONTACT US REVENERA.COM FLEXERA.com
© 2026 Flexera Software. All Rights Reserved.
Privacy policy Terms and conditions Flexera Community Contact Us
Loading
SAML Upgrade in Code Insight 2025 R4