SAML Single Sign-On

Security Assertion Markup Language (SAML) is an OASIS open standard that supports secure communication of user authentication, entitlement and attribute information between different enterprise applications. It provides a method of secure integration with existing, on-site authentication infrastructures without exposing these services to direct public access, and enables federation of user identity across any number of additional services. SAML enables single sign-on (SSO), a scheme that allows users to sign in to one application — the identity provider — and automatically have access to separate applications — the service providers — without having to sign in to each of these other applications separately.

• The identity provider (IdP) validates the identity of the user and makes an SAML assertion to authorize access to a service provider. As a user, the IdP service is often a sign-in page where you enter your SSO sign-in details, or a dashboard you can use to access different enterprise applications.

• The service provider (SP) consumes the SAML assertion and grants the user access to the application.

• The SAML assertion uses a XML-based standard to send security information that applications working across security domain boundaries can trust.

• The SP and IdP use the metadata provided during configuration to establish a circle of trust.

The OpenAir SAML SSO feature uses the SAML version 2.0 specifications. For information about the SAML standard, refer to the OASIS website.

Important:

IdP services must support SAML 2.0 and allow custom assertions to be used with the OpenAir SAML SSO feature.

The OpenAir SAML SSO feature supports:

• IdP-initiated SSO — Typically, the user goes to the IdP service, signs in, and clicks a link or a button on the IdP page to access OpenAir. The IdP service redirects the user to OpenAir with a SAML assertion.

• SP-initiated SSO — Typically, the user goes to the OpenAir sign-in page for SSO users, enters the company ID and user ID. OpenAir redirects the user to the IdP service with an SAML request. The IdP prompts the user to enter a password, validates the identity of the user and redirects the user to OpenAir with an SAML assertion.

• Integration with multiple identity providers.

OpenAir account administrators control who can use SAML SSO to access OpenAir.

Related Topics:

• SAML Deployment Best Practice Guidelines
• Deploying SAML Single Sign-On on Your OpenAir Account
• OpenAir Mobile Apps and SAML Single Sign-On
• OpenAir SAML Single Sign-On Overview