The topics below discuss how to authenticate users with SAML2.
The topics below discuss how to authenticate users with SAML2.
During SAML2 login, the Service Provider (SP) makes the authorization decision about a subject (user) based on an assertion, which is created by an Identity Provider (IdP). To make this decision, the SP must trust the IdP and the IdP must provide enough information about the user to make this authorization decision.
When you configure SAML2 login in One Identity Safeguard for Privileged Sessions, SPS serves as the SP. The SAML2 authentication flow consists of several HTTP redirects, where the information exchange between the SP and the IdP is performed using the user's browser. This means that there is no direct network communication between SPS and the IdP.
The process of the SAML2 authentication flow is the following:
SAML 2.0 is a complex standard, and it requires that both the Identity Provider (IdP) and the Service Provider (SP) are configured in a way to interoperate correctly. This section is provided to help you integrate SPS with your IdP.
To authenticate users securely, SPS needs to know many technical details about the Identity Provider (IdP). The standard way of representing this information is SAML metadata, which is an XML file. You must obtain this file from your IdP and upload it to SPS.
The XML file must contain a single IdP entity. If you want to allow logins to SPS from multiple IdPs, you must create additional login methods with different metadata files, see Authenticating users with SAML2 login method. Optionally, the IdP entity element can be wrapped into an EntitiesDescriptor element.
© ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center