Enterprise SSO

Everything you need to know

Thank you for downloading!

Your download should begin automatically in 15 seconds. If not, click here to download manually.

  • Please enter a business email id
  • IN
  • By clicking 'Download' you agree to processing of personal data according to
    the Privacy Policy.
 

What is SAML and how does it work?

Security Assertion Markup Language (SAML) is a type of single sign-on (SSO) standard. It defines a set of protocols that allows users to use a single set of credentials to access a host of applications, like Microsoft 365, Salesforce, and Google Workspace, to name a few.

SAML, created by OASIS, remains the dominant standard among the various standards existing in the world of Federated Identity Management. The common goal among these standards is to enrich the user experience and enhance security.

SAML helps organizations simplify access to enterprise applications.

What is a SAML provider and what are their types?

A SAML provider is any server that supports authentication and authorization of a user during a SAML request. The two types of SAML providers are Service Providers (SP), i.e., the enterprise applications that will be accessed by users, and Identity Providers (IdP), i.e., the system that performs user authentication.

What is SAML-based SSO authentication and authorization?

SAML provides a secure way to authenticate user identities between the SPs and IdPs while allowing them to exist as separate entities. SAML transactions, or the standardized communications between the SP and the IdP, happen in Extensible Markup Language (XML).

To understand the interaction between SAML, the SP and the IdP, you must understand the difference between SAML authentication and SAML authorization.

SAML authentication SAML authorization
The process of verifying user identity via their entered credentials. Telling the SP what level of access to grant to the authenticated user.

What is SAML Assertion?

A SAML assertion is a package of messages that notifies the SP that a user is signed in. It contains all the information necessary for the SP to confirm that users are who they claim to be. This includes information on the source of the assertion, at what time it was issued, and what conditions made the assertion valid. The IdP generates information as to when a particular user was authenticated, and by what means the user was authenticated. The assertion also contains the list of attributes associated with a particular user, which is referred to as claims, and the authorization decision, i.e., whether the user was granted or denied the access to a particular source.

How does SAML-based SSO work?

When using SAML, there are two methods of initiating SSO.

1.SP-initiated SSO

2.IdP-initiated SSO

1. SP-initiated SSO

  • When a user logs into a SAML-enabled application via SSO, the SP requests authentication from the IdP.
  • The IdP authenticates the user's credentials and returns the assertion back to the SP.
  • The SP verifies the XML document created based on the SAML standards by the IdP. This XML document is called the SAML Assertion. The assertion is signed with an X.509 certificate by the IdP.
  • The SP verifies the authenticity of the assertion using a copy of the certificate's fingerprint.
  • Once the verification of the user is complete, the user can access SP and all other connected applications without having to enter the password again.
  • This flow would typically be initiated by a login button within the SP.

2. ldP-initiated SSO

In an IdP-initiated SSO, a user, who is logged into an IdP, will be able to select a SP from a list of all available SPs. They would then be forwarded to the SP with a SAML message comprising the assertion.

SAML Workflow

 
SAML-based SSO with ADSelfService Plus

ManageEngine ADSelfService Plus, an integrated Active Directory self-service password management and SSO solution, acts as the IdP for enterprise applications. It uses the highly secure and industry standard SAML 2.0 to provide SSO to SPs like Salesforce, Microsoft 365, Google Workspace, among others.

Highlights of ADSelfService Plus

Aside from SAML-based enterprise SSO, ADSelfService Plus also offers:

 
Multi-factor authentication

With up to fifteen different authenticators available, IT administrators have a wide variety of options to choose from to verify the users' identities before they log into enterprise applications through SSO.

 
Self-service password reset and account unlock

Users are empowered to reset their own passwords and unlock their accounts without having to approach the help desk.

 
Password policy enforcer

Enables IT admins to enforce restrictions on the type of passwords that users can create. Restrictions can be placed on characters, repetition, pattern, and length.

ADSelfService Plus' SAML-based SSO empowers employees to access multiple applications with just one set of credentials.

© 2020 Zoho Corporation Pvt.Ltd.All rights reserved.