Loading...

External Authentication with SAML Integration (SSO) - Web Console

Table of Contents

Security Assertion Markup Language (SAML) is an XML-based standard that can perform single sign-on (SSO) exchanges. Use SAML if users logging on to the Web Console should be authenticated by an Identity Provider (IdP). In this case, user names, but not user passwords, are stored in the CommServe database.

High-Level Process Flow for SAML Interactions

The process includes the following actors:

  • Service Provider (SP): The Web Console is the resource owned by the SP. The SP shares metadata with the IdP.
  • Identity Provider (IdP): The user credentials are maintained by the IdP. The IdP shares metadata with the SP.
  • Web Browser: The messages sent between the SP and IdP go through a web browser.

Service Provider Initiated Flow

  1. A user who is not logged in clicks a link for the Web Console on the customer's portal.
  2. The SP generates a SAML request.
  3. The SP redirects the user to the IdP URL and includes the SAML request.
  4. The IdP processes the request and prompts the user to enter login credentials.
  5. The IdP validates the user credentials.
  6. The IdP redirects the user to the Web Console URL and includes the SAML response.
  7. The SP validates the response and creates a login session for the user.

Identity Provider Initiated Flow

  1. A user goes to the IdP URL and logs on.
  2. The IdP validates the user credentials.
  3. The IdP redirects the user to the Web Console URL and includes the SAML response.
  4. The SP validates the response and creates a login session for the user.

High-Level View of the SAML Request and Response

SAML Request Contents

  • Issuer ID: the Entity ID in the SP metadata
  • Request ID: a randomly generated ID number
  • Assertion Consumer Service URL (ACS URL): the same ACS URL as in the SP metadata
  • Date and time the request is created

SAML Response Contents

  • Issuer ID: the Entity ID in the IdP metadata
  • Response ID: a randomly generated ID number
  • Date and time the response is created
  • Status of the response, for example, success or failure
  • saml:AuthnStatement assertion: confirms the user is authenticated
  • saml:AttributeStatement assertion: contains user attributes, for example, the user name and email address

Support

Security Assertion Markup Language (SAML) v2.0 is supported. For SAML specifications, go to the Oasis website, Security Assertion Markup Language (SAML) v2.0.