Skip to content

SAML Authentication

SAML Authentication is an XML-based open standard for exchanging authentication and authorization data between parties, primarily between an identity provider (IdP) and a service provider (SP). It enables Single Sign-On (SSO), allowing users to authenticate once and gain access to multiple systems and applications securely. SAML eliminates the need for users to remember multiple passwords and credentials while enhancing security and simplifying access management.

SAML Authentication is designed to provide:

  1. Seamless Single Sign-On (SSO) for users across multiple systems.
  2. Centralized Authentication via Identity Providers (IdPs).
  3. Increased Security by reducing password fatigue and using robust authentication methods like multi-factor authentication (MFA).
  4. Ease of Access Control for administrators to define granular user permissions across multiple services.

Use Cases for SAML Authentication:

  1. Single Sign-On (SSO) Across Enterprise Applications - This scenario enables users to log in once to a central identity provider (IdP) and access various enterprise applications without needing to authenticate repeatedly.

Example: An employee logs into the corporate portal (e.g., an HR management system) using SAML authentication. Once logged in, they are automatically granted access to other tools like the company’s email system, CRM, and file storage without re-entering credentials.

  1. Federated Authentication for External Partners and Vendors - SAML facilitates B2B authentication, allowing external partners or contractors to access an organization’s resources securely using their own Identity Provider (IdP), without creating separate user accounts.

Example: A supplier accesses a company’s supplier portal using their corporate SSO credentials. The organization’s SAML configuration securely grants access to the specific supplier resources without compromising internal access control.

  1. Integration of Cloud and On-Premises Applications - Organizations can integrate cloud-based and on-premises applications using SAML for unified access. This ensures a consistent authentication mechanism across both environments.

Example: A company uses SAML to integrate its on-premises Active Directory (AD) with cloud applications like Google Workspace, Salesforce, and Office 365. Employees authenticate once using their AD credentials and gain seamless access to both cloud and on-premise applications.

  1. Customer-facing applications with Third-Party Authentication - Businesses can enable their customers to authenticate using third-party identity providers (like Google, Facebook, or LinkedIn) via SAML, allowing for a streamlined sign-in experience.

Example: An e-commerce website allows customers to log in using their Google or Facebook account credentials. SAML is used to authenticate users via third-party IdPs, offering a frictionless login experience and secure access to personalized content and purchasing features.

  1. Secure Access to Sensitive Internal Applications - Sensitive applications (e.g., financial systems, HR databases) require a high level of security. SAML ensures that only authenticated and authorized users can access these resources.

Example: An HR professional accesses a payroll system containing confidential employee data. Using SAML, the organization ensures that only users with specific roles or permissions (authenticated via a secure IdP) can access this sensitive application.

  1. Cross-Platform SSO for Mobile and Web Applications - SAML enables SSO for both mobile and web applications, ensuring a consistent user experience across devices while maintaining strong security protocols.

Example: A mobile app and a web portal for a bank both use SAML to authenticate users. Once logged in via the mobile app, the user doesn’t need to log in again to access the web portal, offering a seamless experience.

  1. Compliance and Regulatory Access Control - SAML helps businesses comply with industry regulations (such as GDPR, and HIPAA, etc.) by enforcing strict authentication policies and access controls.

Example: A healthcare provider uses SAML to manage access to patient records. Only authorized medical personnel can access the system, and their access is logged for compliance with regulatory standards.

  1. Cross-Domain Authentication in Multi-Organization Environments - When multiple organizations need to share resources, SAML allows for secure cross-domain authentication, ensuring users from different organizations can access resources without compromising security.

Example: A joint venture between two companies uses SAML to authenticate employees from both organizations, providing secure access to shared resources like project management tools and financial systems.

  1. Integration with Legacy Systems - For businesses with legacy on-premises systems, SAML can be used to integrate modern cloud applications while maintaining existing infrastructure.

Example: A bank integrates legacy financial systems (like on-premises transaction software) with newer cloud applications (like a cloud-based risk management tool) using SAML to enable unified access across both environments.

SAML 2.0 configuration with AZURE AD

SAML Authentication will be configured where InstaSafe ISA shall serve as the Service Provider (SP) and Entra ID shall serve as the Identity Provider (IdP).

  • Log in to portal.azure.com and select Microsoft Entra ID
  • Click on ‘Enterprise applications’ in the dashboard panel on the left
  • Click on ‘New application’

  • Click on ‘Create your own application’
  • Provide a custom name like instasafeisa and click ‘Create’

  • Expand the newly created Application
  • Click on ‘Single sign-on’ and then ‘Set up single sign-on’

  • Fill up the details of your SP (InstaSafe ISA)
    • Identifier (Entity ID): http://companyname.instasafe.com
    • Reply URL (ACS URL): https://companyname.instasafe.com/api/saml/acs
    • Logout URL: https://companyname.instasafe.com/api/saml/acs

  • Download the Metadata from Entra ID (or copy all required values like Certificate, Entity ID, ACS URL, etc.) to be used later

  • Login to the InstaSafe ISA Portal with Admin credentials
  • Navigate to Authentication Profile >> SAML
  • Click on ‘Add’

  • The values from Entra ID (copied earlier) can be manually entered here, or automatically populated by uploading the IdP Metadata file (downloaded earlier)
  • Click ‘Add’

  • Once created, the SAML profile will be available to view

  • The SAML Authentication profile can be assigned to the User Group synced from Entra ID

    • Navigate to User Groups
    • Locate and expand the User Group synced from Entra ID
    • Click on ‘Edit’
    • In the ‘Authentication Profile’ drop-down, select the SAML profile created

  • Click on ‘Update’

Comments