Skip to content

SAML Configuration

The software (or Service Provider - SP in SAML terminology) uses SAML configuration to enable SSO logins through a third party Identity Provider (IdP in SAML terminology such as Entra ID, ADFS, Shibboleth, Okta, OneLogin, Ping Identity, etc). The software supports the following SSO workflows:

  • Service Provider (SP) initiated authentication - The software displays a button for each enabled SAML configuration on the login screen to initiate the Service Provider (SP) SSO authentication flow. When a user clicks this SSO button on the login screen, the software redirects the user's browser to the IdP login page. After completion of this IdP authentication flow, the IdP then redirects the user's browser back to the software. Finally, the software then uses a back-end user directory to authorize the login.

  • Identity Provider (IdP) initiated authentication - In an IdP initiated authentication flow a user first accesses their IdP directly. After that the user clicks a button located in the IdP's application directory to access this software, which then initiates a redirect to this software's login page. The software validates the information passed with the redirect from the IdP and in the case of successful verification, the software redirects the user's browser to the application screen. Finally, the software uses a back-end user directory to authorize the login.

  • Single Logoff (SLO) - When the user logs out from the application, the software issues a command to the IdP to logout the user from the IdP system as well.

Information exchange between the SP and IdP in all SSO workflows is signed and encrypted by both the SP and IdP. Both the SP and IdP verify the signed messages sent by the opposite party. To establish trust between the SP and IdP, the integrator needs to follow the steps below:

  • The integrator creates and configures the IdP application to reflect the software's configuration following the documentation of the specific IdP.

  • The IdP packages the IdP application configuration into the IdP metadata XML file that contains the IdP application SSO and SLO URLs as well as the IdP application's public key (certificate).

  • The integrator uploads the IdP metadata into this software's SAML configuration.

  • The integrator downloads the automatically generated SP certificate using the "Download" or "Display Certificate" button in this configuration. Alternatively, the integrator uploads the custom key pair identifying the SP into this same SAML configuration.

  • The integrator uploads the SP's public key (certificate) to the IdP application.

During run time execution of SSO workflows:

  • The SP signs its own messages (SSO or SLO requests) using the IdP certificate

  • The SP encrypts messages using the SP private key

  • The SP decrypts the IdP messages using the SP private key

  • The SP validates the IdP signatures using the IdP certificate from the IdP metadata