Understand SAML Authentication
Security Assertion Markup Language (SAML) is a framework which helps us to achieve Single Sign-On (SSO) in a secure and easy manner. SSO is a centralized login system which can authenticate the customer with just a single set of login credentials.
In ManageEngine AppCreator, Customer Portal administrator can simplify password management for their customers using SAML. If the administrator already stores the login credentials of their customers in a SAML provider then they can configure the Customer portal to be authenticated based on these credentials. The administrator can also configure SAML for multiple portals to enable customers access all the portals using the same credentials.
When a customer accesses the portal URL, it will be redirected to the configured login URL for authentication. The Identity Provider (IDP) returns back SAML response specific to that customer after successful validation. The received response will be decoded based on the configured public key. If the response indicates successful authentication, the customer will be logged into the portal.
The developer must be familiar with the following terminologies before configuring SAML.
- Service Provider(SP) - The system that provides service to the user. In this case, ManageEngine AppCreator Customer Portal acts as the Service provider.
- Identity Provider(IDP) - The system that manages the identity information of the customers. Few sample IDPs are OneLogin, ADFS, miniOrange.
- ACS URL (Assertion Consumer Service URL) - The IDP will send the SAML response to this URL. This URL will be provided by the SP(ManageEngine AppCreator Customer Portal).
- Entity ID - A unique ID that allows the SP and IDP to identify each other. The Entity ID will be provided by the Service provider. Entity ID is ManageEngine.com for U.S customers , ManageEngine.eu for E.U customers and ManageEngine.com.cn for China customers.
- Name ID Format - The format in which the name ID must be specified. The name ID format that you specify must be configured in the IDP. ManageEngine AppCreator Customer Portal supports only email address Name ID format as specified in the metadata file (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)
- Login URL - The URL to which all the customers of Customer Portal will be re-directed for authentication.
- Logout URL - The URL to which customers are re-directed when are signed-out from Customer portal under SSO.
- Public key - Key used to decode the response message sent by the Identity provider.
Scenario 1 - Configure SAML for multiple portals: Consider an organization named Zylker whose customers have unique login credentials. Zylker has multiple customer portals in ManageEngine AppCreator which has to be accesssed by its customers. To access all the customer portals the customers has to create multiple login credentials for each customer portal. But this cumbersome process can be overcome by using SAML authentication. Zylker has to upload the login credentials of all its customers to a third party SAML provider. Zylker can configure SAML in all of its customer portals and ensure a Single Sign on mechanism for the customers. So when the customers try to access the ManageEngine AppCreator portal their login credentials will be authenticated by the third party SAML providers(Like OneLogin, ADFS etc).
Scenario 2 - Configure SAML authentication for already existing customers: The organisation Zylker has two different customer portals in ManageEngine AppCreator. The customers of each of the portals have been assigned login credentials specific to that portal. Zylker configures the SAML authentication in order to give the customers’ a single sign on mechanism. Now when the customer tries to access the portal they will have to be authenticated by the SAML provider. Their old login credentials will be overridden and only the credentials uploaded in the SAML provider will authenticate the customers.