Security Assertion Markup Language (SAML) is a standard for authentication, and for logging users into an application based on their session in another context. SAML provides significant advantages over authenticating using a username/password. There is no need to remember or type in credentials, no need to manage multiple credentials, no weak passwords or security standards, etc.
Most enterprises already have an identity management provider in place, and know the identity of users because they are logged into their Active Directory domain or Intranet. Leveraging this existing infrastructure and using it to authenticate and log users into other Web-based applications and SaaS solutions is one of the more elegant ways of doing this through SAML.
How SAML SSO Works
SAML single sign-on works by authenticating the user against the company’s identity provider, and transferring the user’s identity from one place (the identity provider) to another (the service provider). This is done through redirections and an exchange of digitally signed XML documents. The following takes place when the user tries to login to an SAML-enabled SAManage account:
- User clicks on the link to SAManage on the corporate Intranet, or using a bookmark.
- SAManage identifies the user’s origin (either through login URL, application sub-domain, or user’s IP address) and redirects the user back to the identity provider, asking for authentication.
- The user either already has an active session with the identity provider, or establishes a new session by logging into the identity provider.
- The identity provider authenticates the user and creates an XML-document containing the user’s username or email-address, signs it using the X.509 certificate, and posts this information back to SAManage.
- SAManage retrieves the XML response and validates it using the X.509 certificate.
- Once validated, the user is logged into his SAManage account.
Configuring SAManage for SAML
The following information needs to be configured in your SAManage account:
Identity Provider URL – The URL at which the SAML assertion should be received. SAManage will redirect the user to this URL for authentication. In this example we use an online SAML identity provider from OneLogin. Another example could be “http://identity-provider:3000” to authenticate with an on-premise identity provider.
Login URL – The URL at which your users login to SAManage. This is the entry point for your users when they try to login to their SAManage account. All requests to this page will tell SAManage that the user is trying to authenticate with SAML, resulting with a redirection to the Identity Provider URL.
Logout URL (Optional) – The URL at which your users are redirected following a logout from their SAManage account. This can be a local page on the company’s Intranet (i.e. the home page).
Error URL (Optional) – The URL at which your users are redirected if they could not be authenticated. This can be a local page displaying an error message or further instructions.
X.509 Certificate – This is your X.509 certificate fingerprint provided from the identity provider. SAManage will use the certificate to validate the response from your identity provider.
Create Users if They Do Not Exist – This option instructs SAManage to automatically create a user-ID for that user if such does not yet exist. This is a convenient way to enable your users to use SAManage without having to pre-create accounts for them in the system.
Need an Online SAML Provider?
SAML is very powerful and flexible, but the specification can be quite a handful. For companies that do not yet have an on-premise identity provider, OneLogin provides an online, SaaS-based alternative. With OneLogin, users can enable enterprise-grade SSO over the cloud, allowing all end-users to connect with all SaaS services.
See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf for additional information about SAML.