Signing
Start by enabling "Require verification certificates" during the Set up Single Sign-On with SAML step of an Enterprise Application. In step 3 of the set up, press edit in the section “Verification certificates (optional)”.
Select the option "Require verification certificates".
Download the Federation Metadata XML and re-upload it to Refapp.
Then download the PEM files, unzip the folder and upload the certificate in the Verification certificates section.
Encryption
Turn on “Assertions will be encrypted” in Refapp SAML SSO Settings.
In Entra, select "Token encryption" in the menu to the left.
Press "Import Certificate" and upload the same certificate that you downloaded for signing. After uploading the certificate, use the dot-menu to activate encryption.
.png?width=670&height=216&name=image%20(7).png)